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Preface 

The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 {Public Law 107-296) by amendment to 
the Inspector General Act of 1978. This is one of a series of audit, inspection, and special 
reports prepared as part of our oversight responsibilities to promote economy, efficiency, and 
effectiveness within the department. 

The attached report presents the results of the DHS financial statements audits for fiscal years 
(FY) 2009 and 2008 and the results of an examination of internal control over financial 
reporting of the balance sheet as of September 30, 2009, and the statement of custodial 
activity for FY 2009. We contracted with the independent public accounting firm KPMG 
LLP (KPMG) to perform the audits. The contract required that KPMG perform its audits 
according to generally accepted government auditing standards and guidance from the Office 
of Management and Budget and the Government Accountability Office. KPMG was unable 
to provide an opinion on DHS' balance sheets as of September 30, 2009 and 2008, or on 
DHS' internal control over financial reporting of the FY 2009 balance sheet and statement of 
custodial activity. The FY 2009 auditor's report discusses six material weaknesses, two 
significant deficiencies in internal control, and five instances of noncompliance with laws 
and regulations. KPMG is responsible for the attached draft auditor's report and the 
conclusions expressed in the report. We do not express opinions on DHS' financial 
statements or provide conclusions on compliance with laws and regulations. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. We trust this report will result in more effective, efficient, and economical 
operations. We express our appreciation to all of those who contributed to the preparation of 
this report. 



Richard L. Skinner 
Inspector General 
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INDEPENDENT AUDITORS' REPORT 



Secretary and Inspector General 

U.S. Department of Homeland Security: 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland Security (DHS 
or Department) as of September 30, 2009 and 2008, and the related statements of custodial activity for the years 
then ended (referred to herein as "financial statements"). We were also engaged to examine the Department's 
internal control over financial reporting of the balance sheet as of September 30, 2009, and statement of custodial 
activity for the year then ended. In connection with our audit engagement, we also considered DHS' compliance 
with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct 
and material effect on the balance sheet as of September 30, 2009 and the related statement of custodial activity 
for the year ended. We were not engaged to audit the accompanying statements of net cost, changes in net 
position, and budgetary resources, for the years ended September 30, 2009 and 2008 (referred to herein as "other 
fiscal year [FY] 2009 and 2008 financial statements"), or to examine internal control over financial reporting over 
the other FY 2009 financial statements. 

Summary 

As stated in our report on the financial statements, the scope of our work was not sufficient to express an opinion 
on the DHS balance sheets as of September 30, 2009 and 2008, or the related statements of custodial activity for 
the years then ended. 

As stated in our report on internal control over financial reporting, we were unable to perform procedures necessary 
to form an opinion on DHS' internal control over financial reporting of the FY 2009 balance sheet and statement of 
custodial activity. 

Material weaknesses in internal control over financial reporting have been identified in the following areas: 

• Financial Management and Reporting 

• Information Technology Controls and Financial System Functionality 

• Fund Balance with Treasury 

• Property, Plant, and Equipment and Operating Materials and Supplies 

• Actuarial and Other Liabilities 

• Budgetary Accounting. 

Significant deficiencies have been identified in the following areas: 

• Other Entity Level Controls 

• Custodial Revenue and Drawback. 

The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements 
disclosed instances of noncompliance or other matters in the following areas that are required to be reported under 
Government Auditing Standards, issued by the Comptroller General of the United States, and Office of 
Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as 
amended: 

• Federal Managers ' Financial Integrity Act of 1982 (FMFIA), and Laws and Regulations Supporting 
OMB Circular No. A-50, Audit Follow-up, as revised 

• Federal Financial Management Improvement Act of 1996 (FFMIA) 

• Single Audit Act Amendments of 1996 

• Chief Financial Officers Act of 1990 

• Anti-deficiency Act. 



We also reported other matters related to compliance with the Anti-deficiency Act at the National Protection and 
Programs Directorate (NPPD), Federal Emergency Management Agency (FEMA), United States Secret Service 
(USSS), and United States Coast Guard (Coast Guard). 

Other deficiencies in internal control, potentially including additional material weaknesses and significant 
deficiencies, and other instances of non-compliance may have been identified and reported had we been able to 
perform all procedures necessary to express an opinion on DHS' balance sheets as of September 30, 2009 and 
2008, and the related statements of custodial activity for the years then ended, had we been able to perform all 
procedures necessary to express an opinion on DHS' internal control over financial reporting of the balance sheet 
as of September 30, 2009, and statement of custodial activity for the year then ended, and had we been engaged to 
audit the other FY 2009 and 2008 financial statements, and to examine internal control over financial reporting of 
the other FY 2009 financial statements. 

The following sections discuss the reasons why we are unable to express an opinion on the accompanying DHS 
financial statements; why we were unable to express an opinion on internal control over financial reporting of the 
balance sheet as of September 30, 2009, and statement of custodial activity for the year then ended; our tests of 
DHS' compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements and 
other matters; and management's and our responsibilities. 

Report on the Financial Statements 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland Security as of 
September 30, 2009 and 2008, and the related statements of custodial activity for the years then ended. These 
financial statements are the responsibility of DHS management. 

The Coast Guard was unable to provide sufficient evidential matter that support transactions and certain balance 
sheet accounts including fund balance with Treasury, accounts receivable, inventory and related property, general 
property, plant and equipment including heritage assets and stewardship land, actuarially-derived liabilities, 
environmental and other liabilities, and net position, as reported in the accompanying DHS balance sheets as of 
September 30, 2009 and 2008. The total assets of the Coast Guard, as reported in the accompanying DHS balance 
sheets, were $18.8 billion and $17.4 billion, or 22 and 20 percent of total DHS consolidated assets as of 
September 30, 2009 and 2008, respectively. 

The Transportation Security Administration (TSA) was unable to provide sufficient evidential matter that supports 
certain general property, plant, and equipment balances and related effects on net position, as reported in the 
accompanying DHS balance sheets as of September 30, 2009 and 2008. The TSA general property, plant, and 
equipment balances reported in the accompanying DHS balance sheets were $997 million and $932 million as of 
September 30, 2009 and 2008, respectively, or 6 percent of DHS' consolidated general property, plant, and 
equipment in both years. 

We were unable to obtain certain representations from DHS management regarding consistency with U.S. 
generally accepted accounting principles, with respect to the presentation of the accompanying DHS balance 
sheets as of September 30, 2009 and 2008, and the related statements of custodial activity for the years then 
ended. 

It was impractical to extend our procedures sufficiently to determine the extent, if any, to which the DHS balance 
sheets as of September 30, 2009 and 2008, and the related statements of custodial activity for the years then 
ended, may have been affected by the matters discussed in the three preceding paragraphs. Accordingly, the 
scope of our work was not sufficient to enable us to express, and we do not express, an opinion on these financial 
statements and the related notes thereto. 

We were not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary 
resources for the years ended September 30, 2009 and 2008, and accordingly, we do not express an opinion on 
these other FY 2009 and 2008 financial statements. 

As discussed in Note 32, DHS restated its FY 2008 financial statements to correct multiple errors identified by 
TSA, Coast Guard, United States Customs and Border Protection, United States Immigration and Customs 
Enforcement, NPPD, United States Citizenship and Immigration Services, Federal Law Enforcement Training 
Center, and the Science and Technology Directorate, that required adjustment of balances previously reported in 
DHS' FY 2008 financial statements. Because of the matters discussed in the second and third paragraphs of the 
report on the financial statements regarding our audits at the Coast Guard and TSA, we were unable to audit the 
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restatements identified by the Coast Guard and TSA, and accordingly, we have not concluded on the 
appropriateness of this accounting treatment or the restatement of the DHS balance sheet as of September 30, 2008. 

The information in the Management's Discussion and Analysis (MD&A), Required Supplementary Stewardship 
Information (RSSI), and Required Supplementary Information (RSI) sections of the DHS FY 2009 AFR is not a 
required part of the financial statements, but is supplementary information required by U.S. generally accepted 
accounting principles. We were unable to complete limited procedures over MD&A, RSSI, and RSI as prescribed 
by professional standards because of the limitations on the scope of our audit described in the previous paragraphs 
of this section of our report. Certain information presented in the MD&A, RSSI, and RSI is based on other FY 
2009 and 2008 financial statements on which we have not expressed an opinion. We did not audit the MD&A, 
RSSI, and RSI, and accordingly, we express no opinion on it. However, we noted that DHS did not include 
summary performance information that is aligned with its FY 2009 strategic goals and other information, within 
the MD&A section of the FY 2009 AFR, as required by OMB Circular No. A-136, Financial Reporting 
Requirements, as amended. DHS is currently performing a quadrennial review for the purpose of developing an 
updated strategic plan around new priorities established by the Secretary. 

The information in the Other Accompanying Information section of DHS' FY 2009 AFR is presented for purposes 
of additional analysis, and are not a required part of the financial statements. This information has not been 
subjected to auditing procedures, and accordingly, we express no opinion on it. 

Report on Internal Control over Financial Reporting 

We were engaged to examine the Department's internal control over financial reporting of the balance sheet as of 
September 30, 2009, and statement of custodial activity for the year then ended, based on the criteria established in 
OMB Circular No. A- 1 23 , Management 's Responsibility for Internal Control, Appendix A. DHS management is 
responsible for establishing and maintaining effective internal control over financial reporting, and for its assertion 
on the effectiveness of internal control over financial reporting, included in the Secretary's Assurance Statement on 
pages 26-27 of the DHS FY 2009 AFR. We were not engaged to examine and report on internal control over 
financial reporting at the DHS component level. 

The Coast Guard was unable to provide documentation of key processes, risk assessments, or evidence supporting 
the existence of internal controls, and management acknowledges that pervasive material weaknesses exist in key 
financial processes, and is therefore unable to make an assertion on the effectiveness of internal control over 
financial reporting. In addition, as discussed in the second paragraph of our report on the financial statements 
above, the Coast Guard was unable to provide evidential matter that support transactions and account balances that 
are material to DHS' financial statements. Accordingly, we were unable to perform the examination procedures 
necessary to form an opinion on DHS' internal control over financial reporting of the balance sheet as of September 
30, 2009, and statement of custodial activity for the year then ended. It was impractical to extend our procedures 
sufficiently to determine the extent, if any, to which the FY 2009 balance sheet and statement of custodial activity 
may have been affected by these circumstances. 

Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct 
misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that 
controls may become inadequate because of changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate. 

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, 
such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be 
prevented, or detected and corrected on a timely basis. If one or more material weaknesses exist, an entity's internal 
control over financial reporting cannot be considered effective. Material weaknesses in internal control over 
financial reporting have been identified in the following areas: 

• Financial Management and Reporting 

• Information Technology Controls and Financial Systems Functionality 

• Fund Balance with Treasury 

• Property, Plant, and Equipment and Operating Materials and Supplies 

• Actuarial and Other Liabilities 

• Budgetary Accounting. 

Deficiencies at the Coast Guard that are considered to be material weaknesses at the consolidated level, when 
aggregated with deficiencies existing at other components, are presented in Exhibit I. Deficiencies at other DHS 
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components that are considered to be material weaknesses at the consolidated level, when aggregated with 
deficiencies existing at the Coast Guard, are presented in Exhibit II. 

A control deficiency exists when the design or operation of a control does not allow management or employees, in 
the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a 
timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over 
financial reporting that is less severe than a material weakness, yet important enough to merit attention by those 
charged with governance. Our consideration of internal control was for the purpose described in the first 
paragraph of this section and would not necessarily identify all deficiencies in DHS' internal control that might be 
significant deficiencies. However, in accordance with Government Auditing Standards, we are required to report 
significant deficiencies in internal control identified during our examination. Significant deficiencies have been 
identified in the following areas: 

• Other Entity Level Controls 

• Custodial Revenue and Drawback. 

Exhibit III presents significant deficiencies at the consolidated level. 

Because of the limitation on the scope of our examination described in the second paragraph of this report, the 
scope of our work was not sufficient to enable us to express, and we do not express, an opinion on the 
effectiveness of DHS' internal control over financial reporting of the balance sheet as of September 30, 2009, and 
related statement of custodial activity for the year then ended. We were not engaged to examine internal controls 
over financial reporting of the accompanying statements of net cost, changes in net position, and budgetary 
resources, for the year ended September 30, 2009. Additional deficiencies in internal control over financial 
reporting, potentially including additional material weaknesses and significant deficiencies, may have been 
identified and reported had we been able to perform all procedures necessary to express an opinion on DHS' 
internal control over financial reporting of the FY 2009 balance sheet and statement of custodial activity, and had 
we been engaged to audit the other FY 2009 and 2008 financial statements, and to examine internal control over 
financial reporting over the other FY 2009 financial statements. 

A summary of the status of FY 2008 material weaknesses and significant deficiencies is included as Exhibit V. 
We also noted certain additional deficiencies involving internal control over financial reporting and its operation 
that we will report to the management of DHS in a separate letter. 

Report on Compliance and Other Matters 

In connection with our engagement to audit of the balance sheet of DHS as of September 30, 2009, and statement 
of custodial activity for the year then ended, we performed tests of DHS' compliance with certain provisions of 
laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material 
effect on the determination of the balance sheet amounts as of September 30, 2009, and the related statement of 
custodial activity for the year then ended, and certain provisions of other laws and regulations specified in OMB 
Bulletin No. 07-04, as amended, including the provisions referred to in Section 803(a) of FFMIA. We limited our 
tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all 
laws, regulations, contracts, and grant agreements applicable to DHS. However, providing an opinion on 
compliance with laws, regulations, contracts, and grant agreements was not an objective of our engagement, and 
accordingly, we do not express such an opinion. 

Management is responsible for complying with laws, regulations, contracts and grant agreements applicable to 
DHS. 

The results of certain of our tests of compliance exclusive of those referred to in the FFMIA, disclosed five 
instances of noncompliance or other matters that are required to be reported under Government Auditing 
Standards or OMB Bulletin No. 07-04, as amended, and are described in Exhibit IV. 

The results of our other tests of compliance exclusive of those referred to in FFMIA, disclosed no other instances 
of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB 
Bulletin No. 07-04, as amended. 

The results of our tests of FFMIA disclosed instances described in Exhibits I, II, and III where DHS' financial 
management systems did not substantially comply with (1) Federal financial management systems requirements, 
(2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at 
the transaction level. 
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As discussed in our reports on the financial statements and internal control over financial reporting, the scope of our 
work was not sufficient to express an opinion on the balance sheets as of September 30, 2009 and 2008, and the 
related statements of custodial activity for the years then ended, or to express an opinion on the effectiveness of 
internal control over financial reporting of the balance sheet as of September 30, 2009 and the related statement of 
custodial activity for the year then ended. Accordingly, other instances of noncompliance with laws, regulations, 
contracts, and grant agreements may have been identified and reported, had we been able to perform all procedures 
necessary to complete our audit of the financial statements and examination of internal control over financial 
reporting of the balance sheet as of September 30, 2009 and the related statements of custodial activity for the year 
then ended, and had we been engaged to audit the other FY 2009 and 2008 financial statements and to examine 
internal control over financial reporting over the other FY 2009 financial statements. In addition, because of the 
matters discussed in the second paragraph of our report on the financial statements, we were unable to complete tests 
of compliance over the Prompt Payment Act and Titles 10, 14, 31 (as related to the Anti-deficiency Act), and 3 7 of 
the United States Code at the Coast Guard. 

Other Matters: Management of the NPPD, FEMA, USSS, and Coast Guard have initiated reviews of certain 
collections, classification and use of funds, expenditures and/or obligations recorded that may identify a violation 
of the Anti-deficiency Act, or other violations of appropriation law in FY 2009 or in previous years. 

Management's Response to Internal Control and Compliance Findings 

DHS management has indicated in a separate letter immediately following this report that it concurs with the 
findings presented in Exhibits I, II, III, and IV of our report. We did not audit DHS' response, and accordingly, 
we express no opinion on it. 



Restricted Use 

This report is intended solely for the information and use of DHS management, DHS Office of Inspector General, 
OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be 
used by anyone other than these specified parties. 




November 13,2009 
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Independent Auditors' Report 

Introduction to Exhibits on Internal Control and Compliance and Other Matters 



Our report on internal control over financial reporting and compliance and other matters is presented in 
accordance with Government Auditing Standards, issued by the Comptroller General of the United States. 
The internal control weaknesses and findings related to compliance with certain laws, regulations, 
contracts, and grant agreements presented herein were identified during our engagement to audit the 
Department's the balance sheet as of September 30, 2009, and statement of custodial activity for the year 
then ended (financial statements), and to examine internal control over financial reporting of those financial 
statements. We were not engaged to audit the Department's fiscal year (FY) 2009 statements of net cost, 
changes in net position, and budgetary resources (referred to as other FY 2009 financial statements), or to 
examine internal controls over financial reporting of the other FY 2009 financial statements. Our findings 
and the status of prior year findings are presented in five exhibits: 

Exhibit I Significant deficiencies in internal control identified at the United States Coast Guard 
(Coast Guard). All ofthe significant deficiencies reported in Exhibit I are considered 
material weaknesses at the U.S. Department of Homeland Security (DHS) consolidated 
level when combined with other significant deficiencies reported in Exhibit II. 

Exhibit II Significant deficiencies in internal control identified throughout the Department or at other 
DHS components (components other than Coast Guard are collectively referred to as DHS 
Civilian Components). All ofthe significant deficiencies reported in Exhibit II are 
considered material weaknesses at the DHS consolidated level when combined with other 
significant deficiencies reported in Exhibit I. 

Exhibit III Significant deficiencies that are not considered a material weakness at the DHS 
consolidated financial statement level. 

Exhibit IV Instances of noncompliance with certain laws, regulations, contracts, and grant agreements 
that are required to be reported under Government Auditing Standards or Office of 
Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal 
Financial Statements, as amended. 

Exhibit V The status of our findings reported in FY 2008. 

As stated in our Independent Auditors' Report, the scope of our work was not sufficient to enable us to 
express an opinion on the effectiveness of DHS' internal control over financial reporting ofthe balance 
sheet as of September 30, 2009, and related statement of custodial activity for the year then ended. In 
addition, the scope of our work was not sufficient to express an opinion on the financial statements that we 
were engaged to audit; consequently, additional deficiencies in internal control over financial reporting, 
potentially including additional material weaknesses and significant deficiencies, may have been identified 
and reported had we been able to perform all procedures necessary to express an opinion on DHS' internal 
control over financial reporting ofthe financial statements, and had we been engaged to audit the other FY 
2009 financial statements, and to examine internal control over financial reporting ofthe other FY 2009 
financial statements. 

The determination of which findings rise to the level of a material weakness is based on an evaluation of 
how deficiencies identified in all components, considered in aggregate, may affect the DHS balance sheet 
as of September 30, 2009, or the related statement of custodial activity for the year then ended. 

We have also performed follow-up procedures on findings identified in previous engagements to audit the 
DHS financial statements. All ofthe significant deficiencies identified and reported in Exhibit I for the 
Coast Guard are repeated from our FY 2008 and FY 2007 report, and include updates for new findings 
resulting from our 2009 procedures. To provide trend information for the DHS Civilian Components, 
Exhibit II contains a Trend Table next to the heading of each finding, except Comment II-B, IT Controls 
and Financial System Functionality. The Trend Tables in Exhibit II depict the severity and current status 
of findings by component that has contributed to that finding from FY 2007 through FY 2009. 
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Independent Auditors' Report 

Introduction to Exhibits on Internal Control and Compliance and Other Matters 



A summary of our findings in FY 2009 and FY 2008 are presented in the Tables below: 



Table 1 Presents a summary of our internal control findings, by component, for FY 2009. 

Table 2 Presents a summary of our internal control findings, by component, for FY 2008. 

We have reported six material weaknesses and two significant deficiencies at the Department level in FY 
2009, shown in Table 1 . 

TABLE 1 - SUMMARIZED DHS FY 2009 INTERNAL CONTROL FINDINGS 
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Comment / Financial Statement Area 



Material Weaknesses: 



A Financial Management and Reporting 

B IT Controls and System Functionality 

C Fund Balance with Treasury 

D PP&EandOM&S 

E Actuarial and Other Liabilities 

F Budgetary Accounting 



Significant Deficiencies: 



G Other Entity-Level Controls 

H Custodial Revenue and Drawback 




TABLE 2 - SUMMARIZED DHS FY 2008 INTERNAL CONTROL FINDINGS 



Comment / Financial Statement Area 



Material Weaknesses: 



A Financial Reporting 

B IT General and App. Controls 

C Fund Balance with Treasury 

D Capital Assets and Supplies 

E Actuarial and Other Liabilities 

F Budgetary Accounting 



Significant Deficiencies: 



G Entity-Level Controls 

H Custodial Revenue and Drawback 

I Deferred Revenue 




SD 



Control deficiency findings are more severe 
Control deficiency findings are less severe 

Material weakness at the Department level exists when all findings are aggregated 
Significant deficiency at the Department level exists when all findings are aggregated 



All components of DHS, as defined in Note 1 A - Reporting Entity, to the financial statements, were included 
in the scope of our engagement to audit the consolidated balance sheet of DHS as of September 30, 2009, and 
the related statement of custodial activity for the year then ended, and to examine internal control over 
financial reporting of those financial statements Accordingly, our engagement to audit and examine internal 
control considered significant account balances, transactions, and accounting processes of other DHS 
components not listed above. Control deficiencies identified in other DHS components that are not identified 
in the table above did not individually, or when combined with other component findings, contribute to a 
significant deficiency at the DHS consolidated financial statement level. 



i.2 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



I-A Financial Management and Reporting 

Background: In fiscal year (FY) 2009, we were engaged to perform an examination of internal controls 
over financial reporting. The auditors' objective in an examination of internal control is to form an opinion 
on the effectiveness of internal control. When planning our examination, we gave appropriate emphasis to 
testing entity-level controls, such as management's risk assessment and monitoring processes, and other 
control environment elements that exist throughout the Department of Homeland Security (DHS or 
Department). Four Department-wide control environment conditions were identified through our 
examination procedures that have a pervasive influence on the control environment and effectiveness of 
control activities at the United States Coast Guard (Coast Guard). This Exhibit should be read in 
conjunction with the Department -wide conditions and recommendations described in Comment II-A, 
Financial Management and Reporting. 

In previous years, we reported that the Coast Guard had several internal control deficiencies that led to a 
material weakness in financial reporting. In response, the Coast Guard developed its Financial Strategy for 
Transformation and Audit Readiness (FSTAR), which is a comprehensive plan to identify and correct 
conditions that are causing control deficiencies, which in some cases prevent the Coast Guard from 
preparing auditable financial statements. The Coast Guard did make progress in FY 2009 by completing its 
planned corrective actions over pension liabilities, allowing management to make assertions on 
completeness and accuracy on more than $25 billion of accrued liabilities, which represents more than 50 
percent of DHS' total liabilities. In addition, the Coast Guard sustained financial reporting assertions 
attained in the previous fiscal year over investments representing more than $3 billion or the majority of the 
Department's balance for this line item, while also sustaining financial reporting assertions for contingent 
legal liabilities and Federal Employees ' Compensation Act (FECA)-related line items. The FSTAR calls 
for substantially more activity in FY 2010; consequently, many of the financial reporting deficiencies we 
reported in the past remain uncorrected at September 30, 2009. 

Conditions: 

1. In FY 2009, we identified certain entity-level control weaknesses that may interfere with the timely 
completion of corrective actions planned for FY 2010 and beyond. The Coast Guard: 

• Does not have sufficient financial management personnel to identify and address control 
weaknesses, and to develop and implement effective policies, procedures, and internal controls to 
ensure that data supporting financial statement assertions are complete and accurate, and that 
transactions are accounted for consistent with GAAP; 

• Has not fully implemented an on-going Coast Guard-wide risk assessment by financial, IT, and 
program personnel; 

• Has not developed and/or fully implemented information and communication processes and 
controls relevant to financial reporting; and 

• Has not fully implemented adequate monitoring controls over headquarters, areas/districts, and 
units with significant financial activity. 

2. Does not have properly designed, implemented, and effective policies, procedures, processes, and 
controls surrounding its financial reporting process, as necessary to: 

• Support beginning balances, year-end close-out, and the cumulative results of operations analysis 
in its general ledgers individually and/or in the aggregate; 

• Ensure that transactions and accounting events at Coast Guard headquarters, areas/districts, and 
units are appropriately supported and accounted for in its general ledgers; 

• Ensure financial statement disclosures submitted for incorporation in the DHS financial statements 
are accurate and complete; 



1.1 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



• Ascertain that intragovemmental activities and balances are identified and differences, especially 
with agencies outside DHS, are being resolved in a timely manner in coordination with the 
Department's Office of Financial Management (OFM); 

Cause/Effect: The Coast Guard has not developed and implemented an effective general ledger system. 
The Core Accounting System (CAS), Aircraft Logistics Management Information System (ALMIS), and 
Naval Engineering Supply Support System (NESSS) general ledgers do not comply with the requirements 
of the Federal Financial Management Improvement Act of 1996 (FFMIA). The general ledgers do not 
allow for compliance with the United States Standard General Ledger (USSGL) at the transaction level, 
and period-end and opening balances are not supported by transactional detail in the three general ledgers. 
The conditions described below in Comment I-B, Information Technology Controls and Financial System 
Functionality contribute to the financial reporting control deficiencies, and make correction more difficult. 
In addition, the Coast Guard was unable to provide reasonable assurance that internal controls over 
financial reporting are operating effectively and has acknowledged that pervasive material weaknesses exist 
in key financial processes. Consequently, the Coast Guard can not be reasonably certain that its financial 
statements are reliable, or assert to the completeness, existence, accuracy, valuation, rights and obligations, 
or presentation of their financial data related to their balances of fund balance with Treasury, accounts 
receivable, inventory and related property, general property, plant, and equipment, including heritage assets 
and stewardship land, actuarially-derived liabilities, environmental and other liabilities, and net position as 
reported in the Department's balance sheets as of September 30, 2009 and 2008. 

Criteria: FFMIA Section 803(a) requires that Federal financial management systems substantially comply 
with (1) applicable Federal accounting standards, (2) Federal financial management system requirements, 
and (3) the USSGL at the transaction level. FFMIA emphasizes the need for agencies to have systems that 
can generate timely, reliable, and useful information with which to make informed decisions to ensure 
ongoing accountability. 

The Federal Managers ' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal 
controls according to standards prescribed by the Comptroller General. These standards are specified in the 
Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government 
(Standards). These standards define internal control as an integral component of an organization's 
management that provides reasonable assurance that the following objectives are being achieved: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable 
laws and regulations. 

The GAO Standards require that internal controls be documented in management directives, administrative 
policies or operating manuals; transactions and other significant events be clearly documented; and 
information be recorded and communicated timely with those who need it within a timeframe that enables 
them to cany out their internal control procedures and other responsibilities. The GAO Standards also 
identify the control environment as one of the five key elements of control, which emphasizes the 
importance of conscientiousness in management's operating philosophy and commitment to internal 
control. These standards cover controls such as human capital practices, supervisory reviews, policies, 
procedures, monitoring, and segregation of duties. 

The Treasury Federal Intragovemmental Transactions Accounting Policies Guide, dated August 6, 2009, 
and OMB Circular No. A- 136, Financial Reporting Requirements, as revised, require Federal CFO Act and 
non-CFO Act entities identified in the Treasury Financial Manual (TFM) 2009, Vol. I, Part 2, Chapter 
4700, Agency Reporting Requirements for the Financial Report of the United States Government, to 
perform quarterly reconciliations of intragovemmental activity /balances. TFM, Section 4706, 
Intragovemmental Requirements, provides guidance on OMB Circular No. A- 136 requirements for 
reporting agencies to reconcile and confirm intragovemmental activity and balances quarterly for specific 
reciprocal groupings. TFM Bulletin 2007-03, Intragovemmental Business Rules, also provides standardized 
guidance to Federal agencies for reconciling and recording intragovemmental activities. 

Recommendations: We recommend that the Coast Guard: 

1 . Continue the implementation of the FSTAR as planned; 
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2. Conduct a human resource needs assessment and financial organizational assessment to identify gaps 
in skill sets, hire or realign personnel to fill the gaps, and assign personnel with responsibilities that 
best match their expertise, and consider updating the financial organizational structure based on the 
human resources needs assessment; 

3. Improve entity-level controls by fully implementing a formal risk assessment process, evaluating and 
updating processes used to communicate policies and ensure that all transactions are recorded 
completely and accurately, and improve monitor controls over financial data supporting the general 
ledger and financial statements; 

4. Implement accounting and financial reporting processes including an integrated general ledger system 
that is FFMIA compliant; and 

5. Establish new or improve existing policies, procedures, and related internal controls to ensure that: 

a. The year-end close-out process, reconciliations, and financial data and account analysis 
procedures are supported by documentation, including evidence of effective management review 
and approval, and beginning balances in the following year are determined to be reliable and 
auditable; 

b. All accounting transactions and balances are properly reflected in the financial statements 
consistent with GAAP; 

c. Financial statement disclosures submitted for incorporation in the DHS financial statements are 
accurate and complete; and 

d. All intragovernmental activity and balances are accurately reflected in the financial statements, 
and differences are resolved in a timely manner in coordination with the Department's OFM. 

I-B Information Technology Controlsand Financial System Functionality 

Background: Information Technology (IT) general and application controls are essential for achieving 
effective and reliable reporting of financial and performance data. IT general controls (ITGC) are tested 
using the objectives defined by the GAO's Federal Information System Controls Audit Manual (FISCAM), 
in five key control areas: security management, access control, configuration management, segregation of 
duties, and business continuity. Our procedures included a review of the Coast Guard's key ITGC 
environments. 

We also considered the effects of financial systems functionality when testing internal controls since key 
Coast Guard financial systems are not compliant with FFMIA and are no longer supported by the original 
software provider. Functionality limitations add to the challenge of addressing systemic internal control 
weaknesses, and strengthening the control environment at the Coast Guard. 

In FY 2009, our IT audit work identified 20 IT findings, of which 1 1 were repeat findings from the prior 
year and 9 were new findings. In addition, we determined that the Coast Guard remediated 9 IT findings 
identified in previous years. Specifically, the Coast Guard took actions to improve aspects of its ITGC by 
strengthening access controls around key programs and data, and in its entity-wide security program. 

Conditions: Our findings related to IT controls and financial system functionality are as follows: 

Related to IT Controls: 

Condition: We noted that the Coast Guard's core financial system configuration management process 
controls are not operating effectively and continue to present risks to DHS financial data confidentiality, 
integrity, and availability. Financial data in the general ledger may be compromised by automated and 
manual changes that are not adequately controlled. For example, the Coast Guard uses an IT scripting 
process to make updates to its core general ledger software as necessary to process financial data. 
However, the Coast Guard has not (a) fully developed testing standards to guide staff in the development 
and functional testing of IT scripts, (b) documented policies and procedures over testing plans that must be 
performed, and (c) ensured that all necessary approvals are obtained prior to implementation. 
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All of our ITGC findings are described in detail in a separate Limited Official Use (LOU) letter provided to 
the Coast Guard and DHS management. 

Related to financial system functionality: 

We noted that financial system functionality limitations are contributing to control deficiencies reported 
elsewhere in Exhibit I, are inhibiting progress on corrective actions for the Coast Guard, and preventing the 
Coast Guard from improving the efficiency and reliability of its financial reporting processes. Some of the 
financial system limitations lead to extensive manual and redundant procedures to process transactions, 
verify accuracy of data, and to prepare financial statements. Systemic conditions related to financial 
system functionality include: 

1. As noted above, the Coast Guard's core financial system configuration management process is not 
operating effectively due to inadequate controls over IT scripts. The IT script process was instituted as 
a solution primarily to compensate for system functionality and data quality issues; 

2. Annual financial system account recertifications are not being performed due to limitations; 

3. Financial system audit logs are not readily generated and reviewed, as some of the financial systems 
are lacking this capability; 

4. Aspects of DHS-required system password requirements are not implemented because some financial 
systems cannot support the policy; 

5. Production versions of operational financial systems are outdated, no longer supported by the vendor, 
and do not provide the necessary core functional capabilities (e.g., general ledger capabilities); 

6. Financial systems functionality limitations are preventing the Coast Guard from establishing 
automated processes and application controls that would improve accuracy, reliability and facilitate 
efficient processing of certain financial data, such as: 

• Tracking of costs to support weighted average pricing for operating materials and supplies; 

• Maintaining data needed to support the calculation of accounting payable and provide detailed 
listings of accounts payable, which may reduce the resources spent by Coast Guard personnel in 
manually preparing the accounts payable accrual; 

• Ensuring proper segregation of duties such as automating the procurement process to ensure that 
only individuals who have proper contract authority can approve transactions; 

• Tracking detail transactions associated with intragovernmental business and eliminate the need for 
default codes such as Trading Partner Identification Number that cannot be easily researched; and 

• Ensuring that undelivered obligations are properly accounted for upon receipt of goods or services. 

Cause/Effect: The IT system development activities did not incorporate adequate security controls during 
the initial implementation more than six years ago. The current IT configurations of many Coast Guard 
financial systems cannot be easily reconfigured to meet new DHS security requirements. The existence of 
these IT weaknesses leads to added dependency on other mitigating manual controls to be operating 
effectively at all times. Because mitigating controls often require more human involvement, there is an 
increased risk that human error could materially affect the financial statements. In addition, the Coast 
Guard's core financial systems are not FFMIA compliant with the Federal Government's Financial System 
Integration Office (FSIO) requirements. See Comment I-A, Financial Management and Reporting, for a 
discussion of the related conditions causing significant noncompliance with the requirements of FFMIA. 
Configuration management weaknesses are also among the principle causes of the Coast Guard's inability 
to support its financial statement balances for audit purposes. 

Criteria: The Federal Information Security Management Act (FISMA), passed as part of the E-Gov Act of 
2002, mandates that Federal entities maintain IT security programs in accordance with standards prescribed 
by the Secretary of Commerce. 
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OMB Circular No. A- 130, Management of Federal Information Resources, describes specific essential 
criteria for maintaining effective general IT controls. 

FFMIA sets forth legislation prescribing policies and standards for Executive departments and agencies to 
follow in developing, operating, evaluating, and reporting on financial management systems. The purposes 
of FFMIA are to (1) provide for consistency of accounting by an agency from one fiscal year to the next, 
and uniform accounting standards throughout the Federal Government, (2) require Federal financial 
management systems to support full disclosure of Federal financial data, including the full costs of Federal 
programs and activities, (3) increase the accountability and credibility of federal financial management, (4) 
improve performance, productivity, and efficiency of Federal Government financial management, and (5) 
establish financial management systems to support controlling the cost of Federal Government. 

OMB Circular No. A-123, Management's Responsibility for Internal Control, states, "Agency managers 
should continuously monitor and improve the effectiveness of internal control associated with their 
programs. This continuous monitoring, and other periodic evaluations, should provide the basis for the 
agency head's annual assessment of and report on internal control, as required by FMFIA." This Circular 
indicates that "control weaknesses at a service organization could have a material impact on the controls of 
the customer organization. Therefore, management of cross-servicing agencies will need to provide an 
annual assurance statement to its customer agencies in advance to allow its customer agencies to rely upon 
that assurance statement. Management of cross-servicing agencies shall test the controls over the activities 
for which it performs for others on a yearly basis. These controls shall be highlighted in management's 
assurance statement that is provided to its customers. Cross-servicing and customer agencies will need to 
coordinate the timing of the assurance statements." 

DHS' Sensitive Systems Policy Directive, 4300A, as well as the DHS' Sensitive Systems Handbook 
documents policies and procedures adopted by DHS intended to improve the security and operation of all 
DHS IT systems including the Coast Guard IT systems. 

Recommendations: We recommend that the DHS Office of Chief Information Officer, in coordination with 
the Office of the Chief Financial Officer (OCFO), implement the recommendations in our LOU letter 
provided to the Coast Guard and DHS management. In that letter, we provide more detailed 
recommendations to effectively address the deficiencies identified in the configuration management 
process. 

I-C Fund Balance with Treasury 

Background: Fund Balance with Treasury (FBWT) at the Coast Guard totaled approximately $5.5 billion, 
or approximately 9.7 percent of total DHS FBWT, at September 30, 2009. The majority of these funds 
represented appropriated amounts that were obligated, but not yet disbursed, as of September 30, 2009. In 
FY 2008, we reported a material weakness in internal control over FBWT at the Coast Guard. In FY 2009, 
the Coast Guard corrected some FBWT control deficiencies and revised its remediation plan to include 
additional corrective actions that are scheduled to occur after FY 2009. Consequently, most of the 
conditions stated below are repeated from our FY 2008 report. 

Conditions: The Coast Guard has not developed a comprehensive process, to include effective internal 
controls, to ensure that all FBWT transactions are recorded in the general ledger timely, completely, and 
accurately. For example, the Coast Guard: 

• Did not properly design FBWT monthly activity reconciliations and/or could not provide detail 
transaction lists for amounts reported to Treasury for at least three of the six Coast Guard Agency 
Location Codes; 

• Recorded adjustments to the general ledger FBWT accounts or activity reports submitted to 
Treasury, including adjustments to agree Coast Guard balances to Treasury amounts, that were 
unsupported; 

• Does not have an effective process for clearing suspense account transactions related to FBWT due 
to over-reliance on vendor-provided data. The Coast Guard lacks documented and effective 
policies and procedures and internal controls necessary to support the completeness, existence, and 
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accuracy of suspense account transactions. In addition, certain issues persist with industrial service 
orders (ISOs) and credit cards that preclude a complete and accurate population of suspense detail; 
and 

• Was unable to provide military payroll data to support the summary payroll transactions processed 
through the Coast Guard's FBWT. In addition, the Coast Guard lacked formal policies and 
procedures for processing and documenting all military and civilian payroll transactions. 

Cause/Effect: The Coast Guard had not designed and implemented accounting processes, including a 
financial system that complies with federal financial system requirements, as defined in OMB Circular No. 
A-127, Financial Management Systems, and the requirements of the Joint Financial Management 
Improvement Program (JFMIP), now administered by the FSIO, to fully support the FY 2009 FBWT 
activity and balance as of September 30, 2009. Failure to implement timely and effective reconciliation 
processes could increase the risk of undetected errors and/or violations of appropriation laws, including 
instances of undiscovered Anti-deficiency Act violations or fraud, abuse, and mismanagement of funds, 
which could lead to inaccurate financial reporting and affect DHS' ability to effectively monitor its budget 
status. 

Criteria: Statement of Federal Financial Accounting Standards (SFFAS) No. 1, Accounting for Selected 
Assets and Liabilities, paragraph 39 states, "Federal entities should explain any discrepancies between fund 
balance with Treasury in their general ledger accounts and the balance in the Treasury's accounts and 
explain the causes of the discrepancies in footnotes to financial statements. (Discrepancies due to time lag 
should be reconciled and discrepancies due to error should be corrected when financial reports are 
prepared). Agencies also should provide information on unused funds in expired appropriations that are 
returned to Treasury at the end of a fiscal year." 

Per Fund Balance with Treasury Reconciliation Procedures, a Supplement to I TFM 2-5100, Section V, 
"Federal agencies must reconcile their SGL 1010 account and any related subaccounts [. . .] on a monthly 
basis (at minimum). [. . .] Federal agencies must [. . .] resolve all differences between the balances reported 
on their G/L FBwT accounts and balances reported on the FMS 6653, 6654 and 6655 [now the 
Government-wide Accounting system (GWA)]." In addition, "An agency may not arbitrarily adjust its 
FBWT account. Only after clearly establishing the causes of errors and properly documenting those errors, 
should an agency adjust its FBWT account balance. If an agency must make material adjustments, the 
agency must maintain supporting documentation. This will allow correct interpretation of the error and its 
corresponding adjustment." 

Section 803(a) of FFMIA requires that Federal financial management systems comply with (1) applicable 
Federal accounting standards, (2) Federal financial management system requirements, and (3) the USSGL 
at the transaction level. FFMIA emphasizes the need for agencies to have systems that can generate timely, 
reliable, and useful information with which to make informed decisions to ensure ongoing accountability. 

The GAO Standards hold that transactions should be properly authorized, documented, and recorded 
accurately and timely. 

Recommendations: We recommend that the Coast Guard establish policies, procedures, and internal 
controls to ensure that FBWT transactions are recorded accurately and completely, and in a timely manner, 
and that all supporting documentation is maintained for all recorded transactions. These policies and 
procedures should allow the Coast Guard to: 

1. Perform complete and timely FBWT reconciliations using the Treasury Government- wide Accounting 
tools; 

2. Better manage its suspense accounts to include researching and clearing items carried in suspense 
clearing accounts in a timely manner during the year, and maintaining proper supporting 
documentation in clearing suspense activity; and 

3. Maintain payroll data supporting payroll transactions processed through FBWT and have access to 
complete documentation, if needed. 

I-D Property, Plant, and Equipment and Operating Materials and Supplies 
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Background: The Coast Guard maintains approximately 52 percent of all DHS property, plant, and 
equipment (PP&E), including a large fleet of boats and vessels. Many of the Coast Guard's assets are 
constructed over a multi-year period, have long useful lives, and undergo extensive routine servicing that 
may increase their value or extend their useful lives. In FY 2009, the Coast Guard continued to revise 
corrective action plans as documented in FSTAR to address the PP&E process and control deficiencies, and 
execute remediation efforts. However, many of the FSTAR procedures are scheduled to occur over a 
multi-year timeframe. Consequently, many of the conditions cited below have been repeated from our FY 
2008 report. 

Operating Materials and Supplies (OM&S) are maintained by the Coast Guard in significant quantities and 
consist of tangible personal property to be consumed in normal operations to service marine equipment, 
aircraft, and other operating equipment. The majority of the Coast Guard's OM&S is physically located at 
either two Inventory Control Points (ICPs) or in the field. The Coast Guard's policy requires regularly 
scheduled physical counts of OM&S, which are important to the proper valuation of OM&S and its 
safekeeping. The conditions cited below for OM&S have been repeated from our FY 2008 report. 

DHS' Stewardship PP&E consists of heritage assets, which are PP&E that are unique due to historical or 
natural significance; cultural, educational, or artistic (e.g., aesthetic) importance; or architectural 
characteristics. The majority of DHS' stewardship PP&E is maintained by the Coast Guard, and consists of 
both collection type heritage assets, such as artwork and display models, and non-collection-type heritage 
assets, such as lighthouses, sunken vessels, and buildings. 

Conditions: The Coast Guard has not: 

Regarding PP&E: 

• Established its opening PP&E balances necessary to prepare a balance sheet as of September 30, 
2009. In cases where original acquisition documentation has not been maintained, the Coast Guard 
has not developed and documented methodologies and assumptions to support the value of PP&E; 

• Implemented appropriate controls and related processes to accurately, consistently, and timely 
record additions to PP&E and construction in process (CIP), transfers from other agencies, 
disposals in its fixed asset system, and valuation and classification of repairable PP&E; 

• Implemented accurate and complete asset identification, system mapping, and tagging processes 
that include sufficient detail, e.g., serial number, to clearly differentiate and accurately track 
physical assets to those recorded in the fixed asset system; and 

• Properly accounted for some improvements and impairments to buildings and structures, capital 
leases, and selected useful lives for depreciation purposes, consistent with GAAP. 

Regarding OM&S: 

• Implemented policies, procedures, and internal controls to support the completeness, accuracy, 
existence, valuation, and presentation assertions related to the FY 2009 OM&S and related 
account balances; 

• Fully designed and implemented policies, procedures, and internal controls over physical counts 
of OM&S at field units to remediate conditions identified in previous years; and 

• Established processes and controls to fully support the calculated value of certain types of OM&S 
to approximate historical cost. 

Regarding stewardship PP&E: 

• Fully designed and implemented policies, procedures, and internal controls to support the 
completeness, existence, accuracy, and presentation assertions over data utilized in developing 
required financial statement disclosures and related supplementary information for Stewardship 
PP&E. 
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Cause/Effect: The Coast Guard has had difficulty establishing its opening PP&E balances primarily 
because of poorly designed policies, procedures and processes implemented more than a decade ago, 
combined with ineffective internal controls. PP&E was not properly tracked or accounted for many years 
preceding the Coast Guard's transfer to DHS in 2003, and now the Coast Guard is faced with a formidable 
challenge of performing retroactive analysis in order to properly establish the existence, completeness, and 
accuracy of PP&E. Furthermore, the fixed asset module of the Coast Guard's CAS is not updated timely 
for effective tracking and reporting of PP&E on an ongoing basis. As a result, the Coast Guard is unable to 
accurately account for its PP&E, and provide necessary information to DHS OFM for consolidated 
financial statement purposes. 

Coast Guard management deferred correction of most OM&S weaknesses reported in previous years, and 
acknowledged that the conditions we reported in prior years remained throughout FY 2009. Lack of 
comprehensive and effective policies and controls over the performance of physical counts, and appropriate 
support for valuation, may result in errors in the physical inventory process or inventory discrepancies that 
could result in financial statement misstatements. 

The Coast Guard did not consider the new stewardship property reporting standards until late in the year, 
and did not have sufficient time to design and implement procedures to accumulate data needed for 
financial reporting purposes before the completion of the FY 2009 DHS AFR. 

Criteria: SFFAS No. 6, Accounting for Property, Plant, and Equipment, provides the general requirements 
for recording and depreciating property, plant and equipment. SFFAS No. 6 was recently amended by 
SFFAS No. 35, which clarifies that "reasonable estimates of original transaction data historical cost may be 
used to value general PP&E [.. .] Reasonable estimates may be used upon initial capitalization as entities 
implement general PP&E accounting for the first time, as well as by those entities who previously 
implemented general PP&E accounting." 

The Federal Accounting Standards Advisory Board (FASAB)'s Federal Financial Accounting Standards 
Interpretation No. 7, dated March 16, 2007, defines "items held for remanufacture" as items "in the process 
of (or awaiting) inspection, disassembly, evaluation, cleaning, rebuilding, refurbishing and/or restoration to 
serviceable or technologically updated/upgraded condition. Items held for remanufacture may consist of: 
Direct materials, (including repairable parts or subassemblies [...]) and Work-in-process (including labor 
costs) related to the process of major overhaul, where products are restored to 'good-as-new' condition 
and/or improved/upgraded condition. 'Items held for remanufacture' share characteristics with 'items held 
for repair' and items in the process of production and may be aggregated with either class. Management 
should use judgment to determine a reasonable, consistent, and cost-effective manner to classify processes 
as 'repair' or 'remanufacture'." 

SFFAS No. 29, Heritage Assets and Stewardship Land, provides the requirements for the presentation and 
disclosure of heritage assets. In summary, this standard requires that heritage assets and stewardship land 
information be disclosed as basic information in the notes to the financial statements, except for condition 
information, which is reported as required supplementary information (RSI). 

FFMIA Section 803(a) requires each agency to implement and maintain a system that complies 
substantially with Federal financial management system requirements. OMB Circular No. A-127 
prescribes the standards for federal agencies' financial management systems. That Circular requires an 
agency's system design to have certain characteristics that include consistent "internal controls over data 
entry, transaction processing, and reporting throughout the system to ensure the validity of information and 
protection of Federal Government resources." 

According to GAO Standards, assets at risk of loss or unauthorized use should be periodically counted and 
compared to control records. Policies and procedures should be in place for this process. The FSIO 
publication, Inventory, Supplies, and Materials System Requirements, states "the general requirements for 
control of inventory, supplies, and materials consist of the processes of receipt and inspection, storing, and 
item in transit." Specifically, the "placement into inventory process" requires that an "agency's inventory, 
supplies, and materials system must identify the intended location of the item and track its movement from 
the point of initial receipt to its final destination." SFFAS No. 3, Accounting for Inventory and Related 
Property, states OM&S shall be valued on the basis of historical cost. 
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Recommendations: We recommend that the Coast Guard: 
Regarding PP&E: 

1 . Adopt the provisions of SFFAS No. 35, which provides alternatives to the Coast Guard to value 
general property, plant, and equipment to establish its opening balances for balance sheet presentation; 

2. Implement appropriate controls and related processes to accurately and timely record additions to 
PP&E and CIP, transfers from other agencies, improvements, impairments, capital leases, depreciable 
lives, disposals in its fixed asset system, and valuation and classification of repairable PP&E; 

3. Ensure that appropriate supporting documentation is maintained and readily available for audit; and 

4. Implement processes and controls to record an identifying number in the fixed asset system at the time 
of asset purchase to facilitate identification and tracking; and ensure that the status of assets is 
accurately tracked in the subsidiary ledger. 

Regarding OM&S: 

5. Update OM&S physical count policies, procedures, and controls, and provide training to personnel 
responsible for conducting physical inventories at field units, and include key elements of an effective 
physical inventory in the policies; 

6. Consider adopting an inventory control system for OM&S as a method of tracking usage and 
maintaining a perpetual inventory of OM&S on hand; and 

7. Establish processes and controls to support the calculated value of OM&S to ensure accounting is 
consistent with GAAP. 

Regarding stewardship PP&E: 

8. Design and implement policies, procedures, and internal controls to support the completeness, 
existence, accuracy, and presentation and disclosure assertions related to the data utilized in 
developing disclosure and related supplementary information for Stewardship PP&E that is consistent 
with GAAP. 

I-E Actuarial and Other Liabilities 

Background: The Coast Guard maintains medical and post-employment travel benefit programs that 
require actuarial computations to record related liabilities for financial reporting purposes. The Military 
Retirement System (MRS) is a defined benefit plan that covers both retirement pay and health care benefits 
for all active duty and reserve military members of the Coast Guard. The medical plan covers active duty, 
reservists, retirees/survivors, and their dependents that are provided care at Department of Defense (DoD) 
medical facilities. The post-employment travel benefit program pays the cost of transportation for 
uniformed service members upon separation from the Coast Guard. Annually, participant and cost data is 
extracted by the Coast Guard from its records and provided to an actuarial firm as input for the liability 
calculations. The accuracy of the actuarial liability as reported in the financial statements is dependent on 
the accuracy and completeness of the underlying participant and cost data provided to the actuary as well as 
the reasonableness of the assumptions used. 

The Coast Guard estimates accounts payable by adjusting the prior year revised accounts payable accrual 
estimate by the percentage change in budgetary authority for the current fiscal year. The revised prior year 
estimate is calculated by analyzing actual payments made subsequent to September 30 of the prior year to 
determine a range within which the accrual should fall, and using the mid-point of that range. The 
calculation is based on the results of a statistical sample of subsequent disbursements and actual or average 
amounts paid. 

The Coast Guard's environmental liabilities consist of two main types: shore facilities and vessels. Shore 
facilities include any facilities or property other than ships, (e.g., buildings, fuel tanks, lighthouses, small 
arms firing ranges (SAFRs), etc.) 



1.9 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



Conditions: We noted the following internal control weaknesses related to actuarial and other liabilities. 
The Coast Guard has not: 

Regarding medical and post-employment benefits: 

• Implemented effective policies, procedures, and controls to ensure the completeness and accuracy 
of medical cost data and post-employment travel claims provided to, and used by, the actuary for 
the calculation of the medical and post-employment benefit liabilities. Reconciliations between 
subsidiary and general ledger amounts for medical expenditures are not effective; 

• Implemented controls to prevent overpayments for medical services; and 

• Implemented effective processes to account for military personnel data changes, including changes 
in leave balances and payroll corrections, in the appropriate reporting periods, and consequently 
the completeness and accuracy of leave and payroll accruals as well as data used for actuarial 
projections is not always reliable; 

Regarding accounts payable estimates: 

• Validated its methodology used to estimate accounts payable, e.g., the reliability of data, 
assumptions, and criteria used to calculate and subsequently validate the estimate for financial 
reporting; 

Regarding environmental liabilities: 

• Fully supported the completeness, existence, and accuracy assertions of the data utilized in 
developing the estimate for the FY 2009 environmental liability account balance; and 

• Fully developed, documented, and implemented the policies and procedures in developing, 
preparing, and recording the environmental liability estimates related to shore facilities, and has 
not approved policies and procedures for the review of the environmental liability estimate related 
to vessels. 

Cause/Effect: Much of the data required by the actuary comes from personnel and payroll systems that are 
outside of the Coast Guard's accounting organization and are managed by the Coast Guard's Pay and 
Personnel Center (PPC). Inaccurate medical costs submitted to the Coast Guard actuary could result in a 
misstatement of the actuarial medical liability and related expenses. 

The Coast Guard has not yet developed comprehensive policies and procedures or corrective action plans to 
address the conditions above, and consequently, management is unable to assert to the accuracy and 
completeness of the accounts payable and payroll accruals recorded as of September 30, 2009. 

Criteria: According to SFFAS No. 5 , Accounting for Liabilities of the Federal Government, Other 
Retirement Benefits (ORB) include all retirement benefits other than pension plan benefits. The ORB 
liability should be reported using the aggregate entry-age normal actuarial cost method. The liability is the 
actuarial present value of all future benefits less the actuarial present value of future normal cost 
contributions that would be made for and by the employees of under the plan. 

According to SFFAS No. 5, paragraph 95, the employer should recognize an expense and a liability for 
other post-employment benefits (OPEB) when a future outflow or other sacrifice of resources is probable 
and measurable on the basis of events occurring on or before the reporting date. Further, the long-term 
OPEB liability should be measured at the present value of future payments, which requires the employer to 
estimate the amount and timing of future payments, and to discount the future outflow over the period for 
which the payments are to be made. 

The GAO Standards states that transactions should be properly authorized, documented, and recorded 
accurately and timely. SFFAS No. 1 states, "When an entity accepts title to goods, whether the goods are 
delivered or in transit, the entity should recognize a liability for the unpaid amount of the goods. If 
invoices for those goods are not available when financial statements are prepared, the amounts owed should 
be estimated." 
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Federal Accounting Standards Advisory Board (FASAB) Technical Release No. 2, Determining Probable 
and Reasonably Estimable for Environmental Liabilities in the Federal Government, states that an agency 
is required to recognize a liability for environmental cleanup costs as a result of past transactions or events 
when a future outflow or other sacrifice of resources is probable and reasonably estimable. "Probable" is 
related to whether a future outflow will be required. "Reasonably estimable" relates to the ability to 
reliably quantify in monetary terms the outflow of resources that will be required. 

Recommendations: We recommend that the Coast Guard: 

Regarding actuarial liabilities: 

1. Implement effective policies, procedures, and controls to ensure the completeness and accuracy of 
medical cost data and post-employment travel claims provided to, and used by, the actuary for the 
calculation of the medical and post-employment benefit liabilities; 

2. Perform a periodic reconciliation between the medical expenditures recorded in the subsidiary ledger 
and those recorded in the CAS, and address differences before data is provided to the actuary. This 
reconciliation should be performed for all significant sources of medical actuarial data, including 
TriCare and DoD Military Treatment Facilities (MTFs). In addition, this reconciliation should be 
reviewed by someone other than the preparer to ensure accuracy; and 

3. Implement effective processes to account for military personnel data changes, including changes in 
leave balances and payroll corrections, and to ensure that updates are recorded in the proper accounting 
period; 

Regarding accounts payable: 

4. Analyze and make appropriate improvements to the methodology used to estimate accounts payable 
and support all assumptions and criteria with appropriate documentation to develop and subsequently 
validate the estimate for financial reporting; 

Regarding environmental liabilities: 

5. Develop and implement policies, procedures, processes, and controls to ensure identification of and 
recording of all environmental liabilities, define the technical approach, cost estimation methodology, 
and overall financial management oversight of its environmental remediation projects. Consider the 
"Due Care" requirements defined in FASAB Technical Release No. 2. The policies should include: 

a. Procedures to ensure the proper calculation and review of cost estimates for consistency and 
accuracy in financial reporting, including the use of tested modeling techniques, use of verified 
cost parameters, and assumptions; 

b. Periodically validate estimates against historical costs; and 

c. Ensure that detailed cost data is maintained and reconciled to the general ledger. 

I-F Budgetary Accounting 

Background: Budgetary accounts are a category of general ledger accounts where transactions related to 
the receipt, obligation, and disbursement of appropriations and other authorities to obligate and spend 
agency resources are recorded. Each Treasury Account Fund Symbol (TAFS) with separate budgetary 
accounts must be maintained in accordance with OMB and Treasury guidance. The Coast Guard has over 
90 TAFS covering a broad spectrum of budget authority, including annual, multi-year, and no-year 
appropriations; and several revolving, special, and trust funds. 

Conditions: We noted the following internal control weaknesses related to budgetary accounting, many of 
which were repeated from our FY 2008 report. The Coast Guard has not: 

• Fully implemented policies, procedures, and internal controls over the Coast Guard's process for 
validation and verification of undelivered order (UDO) balances that are operating effectively. 
Recorded obligations and UDO balances were not always complete, valid, accurate, and proper 
approvals and supporting documentation are not always maintained; 
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• Finalized and implemented policies and procedures to monitor unobligated commitment activity in 
CAS throughout the fiscal year. Currently, the Coast Guard performs only a year-end review to 
reverse commitments that are now longer valid; 

• Designed and implemented effective procedures, processes, and internal controls to verify the 
completeness and accuracy of the year-end obligation "pipeline", which are obligations executed 
on or before September 30 but not recorded in the Coast Guard's CAS, and to record all executed 
obligations. These deficiencies affected the completeness, existence, and accuracy of the year-end 
"pipeline" adjustment that was made to record obligations executed before year end; and 

• Established adequate internal controls to ensure that procurement transactions are processed only 
by individuals who have the appropriate warrant authority, e.g., those with expired warrant 
authority are unable to process transactions. 

Cause/Effect: Several of the Coast Guard's budgetary control weaknesses can be corrected by 
modifications or improvements to the financial accounting system, process improvements, and 
strengthened policies and internal controls. Weak controls in budgetary accounting, and associated 
contracting practices increase the risk that the Coast Guard could violate the Anti-deficiency Act and 
overspend its budget authority. The financial statements are also at greater risk of misstatement. Reliable 
accounting processes surrounding obligations, UDOs, and disbursements are key to the accurate reporting 
of accounts payable in the DHS consolidated financial statements. The untimely release of commitments 
may prevent funds from being used timely for other purposes. 

Criteria: According to the Office of Federal Financial Management's Core Financial System 
Requirements, dated January 2006, an agency's core financial management system must ensure that an 
agency does not obligate or disburse funds in excess of those appropriated or authorized, and "the 
Budgetary Resource Management Function must support agency policies on internal funds allocation 
methods and controls." The Federal Acquisition Regulation (FAR) Section 1.602 addresses the authorities 
and responsibilities granted to contracting officers. Treasury's USSGL guidance at TFM S2 09-02 (dated 
August 2009) specifies the accounting entries related to budgetary transactions. 

FFMIA Section 803(a) requires that each Agency implement and maintain a system that complies 
substantially with Federal financial management system requirements. OMB Circular No. A-127 sets forth 
the standards for federal financial management systems. 

Recommendations: We recommend that the Coast Guard: 

1. Improve policies, procedures, and the design and effectiveness of controls related to processing 
obligation transactions, including periodic review and validation of UDOs. Emphasize to all fund 
managers the need to perform effective reviews of open obligations, obtain proper approvals, and 
retain supporting documentation; 

2. Finalize policies and procedures to periodically review commitments, and make appropriate 
adjustments in the financial system; 

3. Improve procedures, processes, and internal controls to verify the completeness and accuracy of the 
year-end obligation "pipeline" adjustment to record all executed obligations for financial reporting; 
and 

4. Establish automated system controls to ensure that procurement transactions can be processed only by 
those with appropriate/valid warrant authority. 
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II-A Financial Management and Reporting 

Department-wide Entity-Level Controls affecting Financial Reporting: 

Background: We were engaged to perform an integrated audit in fiscal year (FY) 2009, which is an audit 
of the financial statements integrated with an examination of internal control over financial reporting. The 
auditors' objective in an examination of internal control is to form an opinion on the effectiveness of 
internal control. We used the criteria defined in the Office of Management and Budget (OMB) Circular 
No. A- 123, Management's Responsibility for Internal Control, to evaluate effectiveness of internal control. 
OMB Circular No. A- 123, and other similar control criteria such as Internal Control - Integrated 
Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), 
emphasizes the importance of entity-level controls as well as control activities over key financial statement 
processes. Consequently, when planning our examination, we gave appropriate emphasis to testing entity- 
level controls, such as management's risk assessment and monitoring processes, and other control 
environment elements that exist throughout the Department of Homeland Security (DHS or the 
Department). Four Department-wide control environment conditions were identified through our 
examination procedures that have a pervasive influence on the effectiveness of controls. Those common 
themes are described below; however, they also contribute to several of the conditions presented 
throughout Exhibits I - IV. 

Conditions: We identified the following Department-wide control environment weaknesses that have a 
pervasive effect on the effectiveness of internal controls over consolidated financial reporting: 

• The Department lacks a sufficient number of accounting and financial management personnel with 
the core technical competencies to ensure that its financial statements are prepared accurately and 
in compliance with generally accepted accounting principles; 

• DHS' accounting and financial reporting infrastructure, including policies, procedures, processes, 
and internal controls, have not received investments in proportion to the Department's rapid 
growth in new programs and operations, and changes in mission since the Department's inception; 

• Field and operational personnel do not always share responsibilities for, or are not held 
accountable for, financial management matters that affect the financial statements, including 
adhering to accounting policies and procedures and performing key internal control functions in 
support of financial reporting; and 

• The Department's financial Information Technology (IT) system infrastructure is aging and has 
limited functionality, which is hindering the Department's ability to implement efficient corrective 
actions and produce reliable financial statements that can be audited. 

Recommendations: We recommend that the Department's Office of the Chief Financial Officer (OCFO), 
with the support of the Deputy Secretary and Under Secretary for Management, develop and implement 
actions to: 

1. Analyze the structures of essential financial management offices and skill sets of key financial 
management personnel in significant components of DHS to improve core competencies and 
strengthen internal controls; 

2. Expand the annual risk assessment to identify weaknesses in accounting and financial reporting, 
including accounting systems, processes, and infrastructure, where problems are likely to occur due to 
changing operations and programs; 

3. Use the results of the risk assessment to allocate resources and invest in infrastructure to mitigate risks 
and to ensure that expenditures for new programs and initiatives are properly accounted for and 
accurately reflected in the financial statements; 

4. Improve information and communications related to roles and responsibilities of field and operational 
personnel for their compliance with existing policies and procedures in support of effective internal 
controls, financial reporting, and fiscal management; and 
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5. Continue the assessment of the Department's financial IT system infrastructure, with the objective of 
improving the effectiveness of IT controls and IT functionality in support of timely and accurate 
financial reporting. In the interim, implement compensating controls designed to help ensure 
completeness, accuracy, authorization, and validity of financial transactions reported in the financial 
statements. 



Financial Management and Reporting (TSA, FEMA and CBP): 

Background: The Transportation Security Administration (TSA) 
has had difficulty establishing baseline accounting policies, 
procedures, and processes, with well-designed and effective 
internal controls. In FY 2009, TSA made some progress in 
reconciling its balance sheet accounts and addressed some 
matters that have led to misstatements in the financial statements 
in previous years. However, this progress was achieved only 
through the exceptional efforts of a few people in the Office of 
Financial Management (OFM) - a situation that is unsustainable 
in the long-run. Entity-level control weaknesses reported in FY 
2008 continued to exist in FY 2009 and had a more acute effect 
on TSA's financial reporting processes, causing us to elevate 
some conditions to a material weakness. 
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The Federal Emergency Management Agency (FEMA)'s 
accounting and financial reporting processes must support multi- 
faceted operations such as temporary assistance funds, disaster 
relief loans, national flood insurance programs, stockpiles of 
essential supplies, mission assignments to other federal agencies 
for restoration and reconstruction, and grants to state and local 
governments. While FEMA has taken positive steps in FY 2009 

to correct control deficiencies that we have reported in the past, financial reporting control deficiencies 
continued to exist throughout the year. 

In recent years, U.S. Customs and Border Protection (CBP)'s operations and capital expenditures have 
increased substantially, particularly along the southwest border states. However, CBP has not invested in 
an accounting and financial reporting infrastructure in proportion to its growth in mission. The accounting 
system, processes, and staffing levels that existed several years ago are absorbing an increased workload, 
creating an environment where financial statement errors are more likely to occur, especially in areas that 
are new to CBP, such as construction of the virtual and physical fence along the southwest border. 

Conditions: 

1. TSA: 

• Does not have a sufficient number of accounting personnel who possess the technical accounting 
proficiencies necessary to: 

Support and perform essential accounting and financial reporting functions; 

Ensure appropriate segregation of duties, and to supervise and review accounting processes 
throughout the agency; 

Ensure that material financial reporting issues are identified on a timely basis; and 

Ensure that significant events and transactions are properly accounted for and financial 
statements and related disclosures are presented in conformity with generally accepted 
accounting principles (GAAP); 

• Has weaknesses in communication, training, supervision and/or coordination with personnel 
outside of OFM, that contribute to control weaknesses in processes dependent on operations; 
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• Has not maintained adequate documentation of its accounting processes, internal controls, 
transactions, and significant events to support management's assertions related to key processes 
and financial statement balances and disclosures; 

• Has conducted an annual risk assessment; however, the risk assessment did not identify all matters 
that could have a material impact on the financial statements, and did not result in an effective 
internal control structure for the entire year; 

• Is not fully compliant with the United States Government Standard General Ledger (USSGL) 
requirements at the transaction level. For example, TSA did not record property-related 
adjustments into the applicable general ledger accounts at the appropriate fund account symbol to 
provide an audit trail at the transaction level. In addition, proprietary to budgetary account 
imbalances were created due to advance adjustments recorded without the corresponding 
budgetary effects; and 

• Is unable to fully identify and present its intragovernmental balances and transactions by trading 
partner. 

2. FEMA: 

• Does not have adequate processes and controls to ensure that all adjustments are fully researched, 
substantiated, documented, and/or appropriately reviewed prior to preparation and submission of 
financial data to the Department. For example, FEMA performs manual adjustments to correct 
attributes for certain financial activity, primarily related to the former Office of Grants and 
Training. These adjustments are not fully substantiated; 

• Has financial reporting processes that produce numerous differences and abnormal balances that 
must be researched and resolved before the IT system will allow transmission of financial data to 
the Department. A substantial number of material manual adjustments are necessary to resolve 
these differences. FEMA does not have a policy that requires timely research to identify and 
correct the source of the differences to prevent recurring failed edit checks and abnormal balances; 

• Lacks sufficient staff to ensure proper segregation of the preparation, recording, review, and 
approval of adjustments prior to submission of financial information to the Department; 

• Has developed a complex process to record flood insurance financial information obtained from 
the third-party service provider into its general ledger, which increases the likelihood of error in 
the flood related balances; and 

• Does not have adequate internal controls in place to ensure that apportionments are recorded 
timely and accurately, and did not properly investigate an abnormal balance identified in USSGL 
account 4510 at year-end. As a result, FEMA initially understated apportionments and overstated 
unapportioned authority at September 30, 2009, by approximately $579 million. 

3. CBP: 

• Has not developed and effectively communicated policies and procedures to properly account for 
and timely report significant new activities that occur outside of the Office of Finance; 

• Has not added sufficient resources or infrastructure within the Office of Finance or in the operating 
divisions to supplement its current accounting and financial reporting personnel, and consequently, 
has been unable to adequately monitor inputs and operational activities to ensure proper and timely 
accounting and reporting consideration; and 

• Does not have an annual risk assessment and/or focus group process that maintained its 
effectiveness to timely identify and address new accounting standards, and/or the application of 
existing standards to new operations, that may have a material impact on financial reporting 
throughout the year. 
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Cause/Effect: TSA has devoted substantial resources to the development of its initial balance sheet. This 
effort involves many one-time efforts that will not need to be repeated in future years. At times, the effort 
has also commanded more resources than TSA was able to provide. Financial reporting and management 
control deficiencies are caused primarily by a lack of personnel who have the necessary technical 
accounting skills to perform essential financial reporting functions, including the development and 
implementation of processes to ensure that all relevant financial statement assertions are considered when 
preparing financial statements. In some cases, the adjustments were recorded without appropriate 
supporting analysis and documentation. In addition, accounting personnel did not consider all relevant 
assertions, such as completeness, or consider relevant technical accounting standards before representing to 
the auditor that balances were correct. Consequently, we discovered numerous errors in FY 2009, 
including differences between subsidiary records and the general ledger, unrecorded liabilities, 
misclassified assets, and various over and understatements of other balance sheet account balances. 

FEMA's IT systems are outdated and have limited capacity for modification. (See comment II-B, 
Information Technology Controls and Financial System Functionality.) Consequently, FEMA must rely 
more heavily on manual analyses and adjustments to accurately prepare financial statements. With 
accelerated time-frames for reporting, particularly at year-end, the likelihood that a material error will 
occur increases. Because of timing differences and the complexities of the National Flood Insurance 
Program (NFIP), the determination of the appropriate related proprietary and budgetary accounting is 
inherently difficult, and because of resource constraints, the legacy process to record all NFIP entries into 
the general ledger has not been recently re-evaluated for efficiency and effectiveness. As a result, there is 
an increased risk that errors will be made when recording the adjustments, and FEMA was not in full 
compliance with the USSGL until an on-top adjustment was recorded at year-end. 

CBP has not made sufficient investments in its accounting and financial reporting infrastructure, including 
human resources, and has not identified and established policies and procedures to account for substantial 
new operations. In addition, CBP does not have a formalized, continuous, and comprehensive 
communication process to identify the need for and implement new accounting processes that are important 
to financial reporting. Consequently, CBP and the external auditor have identified several errors in the 
financial statements, some of which related to the prior year. 

Criteria: OMB Circular No. A- 123 defines internal control and provides guidance to Federal managers on 
improving the accountability and effectiveness of Federal programs and operations by establishing, 
assessing, correcting, and reporting on internal control. In particular, management is responsible for 
establishing and maintaining internal control to achieve the objectives of effective and efficient operations, 
reliable financial reporting, and compliance with applicable laws and regulations. The documentation for 
internal control, all transactions, and other significant events should be readily available for examination. 
Further, relevant, reliable, and timely information should be communicated to relevant personnel at all 
levels within an organization. It is also crucial that an agency communicate with outside organizations. In 
addition, the Circular states that management should identify both internal and external risks, and analyze 
those risks for their potential effect on the entity. 

The Federal Financial Managers Improvement Act of 1996 (FFMIA) Section 803(a) requires all Chief 
Financial Officer (CFO) Act agencies to implement financial management systems that comply with three 
essential requirements: Federal financial management systems requirements, Federal accounting standards, 
and USSGL at the transaction level. 

OMB Circular No. A-l 1, Instructions on Budget Execution, Appendix H, requires that an agency's 
accounting systems provide for recording all financial transactions affecting apportionments, and for 
preparing and reconciling financial reports that display cumulative obligations, the remaining unobligated 
balance by appropriation and allotment, and cumulative obligations by budget activity and object class. 

OMB Circular No. A-50, Audit Follow-Up, states that corrective action taken by management on resolved 
findings and recommendations is essential to improving the effectiveness and efficiency of Government 
operations. Each agency shall establish systems to assure the prompt and proper resolution and 
implementation of audit recommendations. These systems shall provide for a complete record of action 
taken on both monetary and nonmonetary findings and recommendations. 
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Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, 
states that financial reporting "should help report users make relevant comparisons among similar federal 
reporting units, such as comparisons of the costs of specific functions or activities. Comparability implies 
that differences among financial reports should be caused by substantive differences in the underlying 
transactions or organizations rather than by the mere selection of different alternatives in accounting 
procedures or practices." 

The Treasury Federal Intragovernmental Transactions Accounting Policies Guide, dated August 6, 2009, 
and OMB Circular No. A-136, Financial Reporting Requirements, as revised, require Federal CFO Act and 
non-CFO Act entities identified in the Treasury Financial Manual (TFM) 2009, Vol. I, Part 2, Chapter 
4700, Agency Reporting Requirements for the Financial Report of the United States Government, to 
perform quarterly reconciliations of intragovernmental activity^alances. TFM, Section 4706, 
Intragovernmental Requirements, provides guidance on OMB Circular No. A-136 requirement for 
reporting agencies to reconcile and confirm intragovernmental activity and balances quarterly for specific 
reciprocal groupings. TFM Bulletin 2007-03, Intragovernmental Business Rules, also provides guidance to 
Federal agencies for standardizing the processing and recording of intragovernmental activities. 

Recommendations: We recommend that: 

1. TSA: 

a. Perform a review of its financial and accounting infrastructure and human resource needs, 
including job responsibilities, functions, and defined tasks and skill sets needed to support 
essential accounting and financial reporting functions throughout the agency. This may involve 
restructuring and hiring additional personnel to fill identified gaps, re-align personnel to fill the 
gaps, and properly utilize and assign personnel with responsibilities that best match their 
expertise; 

b. Adopt procedures to ensure that relevant financial reporting issues are identified on a timely basis 
and to ensure that events and transactions are properly accounted for, and financial statements and 
related disclosures are presented in conformity with GAAP; 

c. Improve communication, training, supervision and/or coordination with personnel outside of the 
Office of Financial Management to ensure that necessary transactional inputs and information are 
received accurately and timely; 

d. Ensure that the annual risk assessment process is considered in updating accounting processes and 
implementing internal controls; 

e. Work with its accounting service provider to ensure that the proper trading partner code is 
recorded for each intragovernmental transaction. Until such time, TSA should continue to 
perform its manual process for the identification and reporting of intragovernmental activities and 
balances; and 

f. Develop policies and procedures to ensure compliance with the USSGL requirements at the 
transaction level. Specifically, the procedures should ensure that adjustments to the general ledger 
system are recorded at the appropriate fund account symbol and include the correct budgetary and 
proprietary entries. 

2. FEMA: 

a. Update its current processes and controls to ensure that manual adjustments are fully researched, 
substantiated, documented, and/or appropriately reviewed prior to preparation and submission of 
financial data to the Department; 

b. Determine the cause of edit check variances in the general ledger submission to the Department, 
and implement corrective actions to correct the source of the error and eliminate the need for 
correcting manual adjustment in future periods; 
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c. Complete the merger of the two instances of its financial system, and make necessary changes to 
the merged system to alleviate recurring issues with attributes and financial data submissions to 
the Department; 

d. Continue to dedicate sufficient resources to the financial reporting process to ensure that proper 
segregation of the preparation, recording, review, and approval of adjustments made to the general 
ledger; 

e. Re-evaluate the current NFIP adjustment process, and issue Standard Operating Procedures 
(SOPs) specifically designed for the recording of NFIP financial statement information into the 
FEMA general ledger in a more simplified manner; and 

f. Develop and implement policies and procedures to properly record, review, reconcile, and 
investigate abnormal balances in the budgetary status accounts to strengthen the administrative 
control of funds. 

3. CBP: 

a. Develop and timely communicate policies and procedures to ensure that key financial reporting 
issues are addressed before significant new operations are undertaken; 

b. Conduct a human resource and finance organizational assessment to identify accounting and 
finance infrastructure improvements that should be made to ensure that the Office of Finance and 
operational units have the resources to establish necessary policies, procedures and controls in 
operational units, and to ensure effective monitoring of transactions and events that affect financial 
reporting; and 

c. Enhance the annual risk assessment and/or focus group process to ensure continued effectiveness 
and relevance in identifying new accounting standards, and/or the application of existing standards 
to new operations timely. 

II-B Information Technology Controls and Financial System Functionality 

Background: IT general and application controls are essential for achieving effective and reliable reporting 
of financial and performance data. IT general controls are tested using the objectives defined by the 
Government Accountability Office (GAO)'s Federal Information System Controls Audit Manual 
(FISCAM), in five key control areas: security management, access control, configuration management, 
segregation of duties, and business continuity. In addition to IT general controls, financial systems contain 
application controls, which are the structure, policies, and procedures that apply to the use, operability, 
interface, edit, and monitoring controls of a financial application. 

During FY 2009, DHS civilian components made progress in strengthening their IT general controls, which 
resulted in the closure of more than 60 percent of the IT control findings we had reported in FY 2008. 
However, because of new findings, the number of Department- wide IT control deficiencies increased when 
compared to the prior year. 

During FY 2009, we also considered the effects of financial system functionality while testing IT general 
and application controls and other internal controls over financial reporting. Many of the financial systems 
in use at DHS components were inherited from the legacy agencies and have not been substantially updated 
since the Department's inception. Additionally, DHS has had limited Department-wide financial system 
development and improvement activities. Consequently, ongoing financial system functionality limitations 
are contributing to the Department's challenges of addressing systemic internal control weaknesses, 
strengthening the overall control environment, and preparing auditable financial statements. 

Conditions: Our findings related to IT controls and financial systems functionality follow: 

Related to IT controls: 

The IT general control FISCAM areas that continue to present risks to DHS financial data confidentiality, 
integrity, and availability include: 
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• Access controls - Key DHS financial systems and applications have access control weaknesses, 
including: weaknesses in security documentation and approvals; lack of recertification for user 
accounts on an annual basis; inconsistent disabling of user account accesses upon termination; 
inadequate or weak system passwords; workstations, servers, or network devices without 
necessary software patches; lack of sufficient workstation inactivity time-outs; out of date anti- 
virus software; and insufficient audit logging. In addition we identified the following instances 
where DHS policy was not adhered to: 

While performing physical access testing, we identified the following unsecured items: 
Government credit cards; financial system user IDs and passwords; computer laptops; and 
issued badges; and 

We identified instances where DHS employees did not follow IT policy when asked to provide 
their system user names and passwords to an auditor. 

• Configuration management - We identified configuration management processes that are not fully 
defined, followed, or effective, including: 

Instances where changes made to financial systems were not always properly approved, tested, 
or documented in accordance with the required System Change Request (SCR) process; and 

Instances where policies and procedures regarding change controls were not in place to 
prevent users from having concurrent access to financial system development, test, and 
production environments, or for restricting access to application system software and system 
support files. 

• Security management - We identified security management practices that do not fully and 
effectively ensure that financial systems are certified, accredited, and authorized for operation 
prior to implementation; and that all operational financial systems are accounted for in DHS' 
system inventory and monitored for compliance with security requirements in Federal Information 
Security Management Act (FISMA). Additionally, we noted that security and technical 
requirements for financial systems have not been considered and planned for in an integrated 
fashion during systems development and acquisition initiatives. 

These control findings, including significant deficiencies that do not rise to the level of a material 
weakness, are described in greater detail in a separate Limited Official Use letter provided to DHS 
management. 

Related to financial system functionality: 

We noted that financial system functionality limitations are contributing to control deficiencies reported in 
Exhibits II and III, and are inhibiting progress on corrective actions in several DHS components. Each of 
the Departmental material weaknesses can be linked in part to a lack of financial system functionality. 

Systemic conditions related to financial system functionality include: 

• The need to physically segregate key accounting functions because financial systems cannot 
enforce automated segregation of duties; 

• Financial system audit logs that are not readily generated and reviewed because some financial 
systems cannot offer the necessary functionality; 

• DHS-required system passwords that are not being used because some financial systems cannot 
support the policy; 

• Financial systems that do not provide flexible, user-friendly functionality to access financial data 
for ad hoc analysis or to track operational information that is supportive of financial data; and 

• Production versions of operational financial systems that are outdated, no longer supported by the 
vendor, and do not provide the necessary core functional capabilities (e.g., general ledger 
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capabilities). Because the systems are outdated and no longer supported by the vendors, system 
updates and enhancements are challenging if not impossible. 

Cause/Effect: A contributing cause to repeated IT control findings is that DHS lacks an effective 
component-wide prioritization of financial system weaknesses, including the development of a stable 
centralized financial system platform for the Department. The time and resources needed to implement 
corrective actions necessary to mitigate these weaknesses could take several years. 

The conditions supporting our findings collectively limit DHS' ability to ensure that critical financial and 
operational data is kept secure and is maintained in a manner to ensure confidentiality, integrity, and 
availability. Many of these weaknesses, especially those in the area of access and configuration 
management controls, may result in material errors in DHS' financial data that are not detected in a timely 
manner and in the normal course of business. In addition, as a result of the presence of IT control 
weaknesses and financial system functionality weaknesses, there is increased reliance on other mitigating 
manual controls to be operating effectively at all times. Because mitigating controls often require more 
manually performed procedures, there is an increased risk of human error that could materially affect the 
financial statements. 

Criteria: FISMA, passed as part of the E-Gov Act of 2002, mandates that Federal entities maintain IT 
security programs in accordance with guidelines that refer to the guidance published by the National 
Institute of Standards and Technology (NIST). In addition, OMB Circular No. A-130, Management of 
Federal Information Resources, describes specific essential criteria for maintaining effective general IT 
controls. Further, FFMIA sets forth legislation prescribing policies and standards for Executive 
departments and agencies to follow in developing, operating, evaluating, and reporting on financial 
management systems. The purposes of FFMIA are to: (1) provide for consistency of accounting by an 
agency from one fiscal year to the next, and uniform accounting standards throughout the Federal 
Government; (2) require Federal financial management systems to support full disclosure of Federal 
financial data, including the full costs of Federal programs and activities; (3) increase the accountability 
and credibility of federal financial management; (4) improve performance, productivity and efficiency of 
Federal Government financial management; and (5) establish financial management systems to support 
controlling the cost of Federal Government. FFMIA requirements are complemented by Financial System 
Integration Office (FSIO) requirements, which set forth core financial management functionality required 
by Federal financial systems. Finally, DHS' Sensitive Systems Policy, 4300A, documents policies and 
procedures adopted by DHS intended to improve the security and operation of all DHS IT systems. 

Recommendations: We recommend that the DHS Office of the Chief Information Officer, in coordination 
with OCFO, make necessary improvements to the Department's financial management systems. Specific 
recommendations are provided in a separate Limited Official Use letter provided to DHS management. 



II-C Not Used 



II-D Property, Plant, and Equipment (TSA, CBP, USCIS, 
NPPD,andICE) 

Background: TSA manages passenger and baggage X-ray, 
explosives detection, and other equipment as part of its mission. 
This equipment, which is in every major U.S. airport, is owned 
and maintained by TSA. The costs required to procure, ship, 
temporarily store, install, operate, and maintain this equipment 
are substantial and consume a large portion of TSA's annual 
operating budget. Unique accounting processes and systems are 
necessary to track the status and accumulate costs, and to 
accurately value, account for, and depreciate the equipment. In 
FY 2008, in response to auditor inquiries, TSA initiated various 
reviews of its Property, Plant, and Equipment (PP&E) and 
identified errors in its accounting for equipment used in airports 
that required a number of restatements and current year 



II. 8 





| 2009 | 


| 2008 | 


| 2007 


CBP j 




1 1 


| N/A 


FEMA 


C 


1 1 




TSA 




1=1 




US-Visit* 


N/A 


C 




USCIS 




N/A 


N/A 


ICE 




N/A 


N/A 


NPPD | 




| N/A | 


| N/A 


* US-Visit merged into NPPD in 2007 


See page II-2 for table explanation 



Independent Auditors' Report 

Exhibit II - Material Weaknesses - DHS Civilian Components 



corrections. These conditions continued into FY 2009 and prevented TSA from asserting that its PP&E 
balances at September 30, 2009, are fairly stated prior to the completion of the DHS FY 2009 Annual 
Financial Report (AFR). 

CBP has acquired substantial new technology, facilities, and other assets in recent years through purchase 
and construction. Since FY 2004, CBP's PP&E has increased from $1.5 billion to $5.2 billion as of 
September 30, 2009, an increase of nearly 250 percent. One of the largest components of this growth is the 
Secure Border Initiative (SBI), which is a comprehensive multi-year plan to secure America's borders and 
reduce illegal migration. SBI includes two main components: the Facilities Management and Engineering 
(FM&E) Tactical Infrastructure (TI) and the SBI Network (SBInet). To properly account for this level and 
complexity of capital expenditure, CBP has had to implement new accounting policies, procedures, and 
processes, and apply technical accounting standards not previously used by CBP, such as full-costing of 
construction projects. 

The U.S. Citizenship and Immigration Services (USCIS) is the government agency that oversees lawful 
immigration into the United States. It carries out this mission at over 75 service centers and district offices 
located throughout the United States and its territories. All of these locations are leased through the 
General Services Administration. Due to increased application volume over the past several years, many of 
these locations have had significant recent leasehold improvements. 

The National Protection and Programs Directorate (NPPD) is responsible for the United States Visitor and 
Immigrant Status Indicator Technology (US-VISIT) program, which provides biometric identification and 
analysis services that enable DHS to ensure the integrity of the U.S. immigration system while protecting 
the privacy of international visitors. The US-VISIT program has been under development since the 
inception of DHS in 2003. 

The U.S. Immigration and Customs Enforcement (ICE)'s mission is to protect the security of the American 
people and homeland by vigilantly enforcing the nation's immigration and customs laws. To enforce these 
laws, ICE has invested heavily in software development to analyze data to allow it to achieve its mission. 

In FY 2009, FEMA substantially corrected its control deficiencies over internal use software that were 
reported in FY 2008. 

Conditions: We noted the following internal control weaknesses related to property, plant, and equipment: 
1. TSA: 

• Does not have documented policies and procedures in place to properly account for, monitor, and 
report: 

Internal use software balances, including the application of Statement of Federal Financial 
Accounting Standards (SFFAS) No. 10, Accounting for Internal Use Software, identification 
and allocation of direct and indirect costs to long-term projects, and capitalization of multiple 
unit and/or multi-year installations; 

Other direct costs incurred to transport, store, and install screening equipment at airports; 

Idle or impaired assets consistent with applicable accounting standards, or to ensure that 
disposed assets are properly accounted for in the financial statements; and 

Purchased assets that are under the capitalization threshold, such as peripheral equipment and 
bulk purchases; 

• Does not have documented policies and procedures in place to ensure that: 

Assets are recorded, depreciated, and dsposed of on a timely basis; 

The subsidiary ledger is reconciled on a regular basis and net book value is correct and 
supported on an asset-by-asset basis; and 

Heritage assets are properly idertified, tracked, and reported; 
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• Does not always adhere to its policy requiring timely updates to the capital asset subsidiary ledger 
after assets are transferred between locations. 

2. CBP: 

• Does not have adequate accounting policies, procedures, processes, and controls to properly 
account for new equipment purchases and transfers, construction, or to properly identify and 
allocate indirect costs to construction projects, or to ensure that depreciation is properly computed 
and recorded, in a timely manner. For example, CBP: 

Inappropriately expensed certain equipment purchases in previous years that required 
correction in FY 2009, including transactions related to SBInet; 

Did not transfer assets from coniruction-in-process (CIP) to in-use assets in a timely manner; 

Did not consistently record CIP related to the FM&E TI fence construction per the observed 
percentage of completion (POC); 

Did not establish and apply an appropriate depreciable life to the newly constructed FM&E TI 
steel fence in a timely manner; and 

Did not record some asset disposals in accordance with its policy; 

• Did not properly perform and/or document several physical annual inventories related to real and 
personal property. 

3. USCIS did not have adequate policies and procedures and related internal controls throughout the year 
to ensure that: 

• Leasehold improvements at its facilities are accurately accounted for in the general ledger. During 
FY 2009, USCIS identified a gross adjustment of approximately $44 million in leasehold 
improvements that had not been properly recorded in previous years, resulting in a restatement of 
its financial statements to correct the error; and 

• Internal use software and software in development projects are properly accounted for in 
accordance applicable accounting standards. USCIS recorded a restatement to its FY 2008 
financial statements to properly present the gross cost of its capitalized internal use software 
totaling $290 million. 

4. NPPD did not have adequate policies and procedures and related internal controls throughout the year 
to ensure that hardware purchased by its contractors and held at contractor sites was properly titled to 
DHS and was accurately and timely recorded in the general ledger. As a result, NPPD restated its FY 
2008 financial statements to record $225 million of equipment, gross, that was acquired in previous 
years and currently located at a contractor site. 

5. ICE did not have policies and procedures throughout the year to properly account for internal use 
software and software in development in accordance with the applicable accounting standards. As a 
result, ICE recorded an adjustment totaling $12 million, gross, to restate its FY 2008 financial 
statements to correct this error. 

Cause/Effect: TSA devoted substantial time and resources in FY 2009, including contractor assistance, in 
an attempt to retroactively correct and restate opening balance sheet values and to properly account for 
PP&E prospectively. Management was not able to fully complete the work prior to completion of the DHS 
FY 2009 AFR. In some cases, TSA was dependent on input and feedback from the auditor for 
interpretation and application of accounting standards and recommendations to resolve difficult accounting 
issues related to the development of its opening balance sheet. This deficiency is also related to the 
conditions described in Comment II-A, Financial Management and Reporting. 

CBP's substantial growth, especially in the purchase and construction of capital assets, has required greater 
capacity of human and system resources, including resources outside of the Office of Finance. As a result, 
accounting for new operations, such as the construction of the FM&E TI fence, are not considered in a 
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timely manner, causing errors or misapplication of GAAP in financial reporting. These financial statement 
errors and/or inconsistencies with GAAP may go undetected, in some cases until subsequent years or until 
questioned by an auditor. Also, CBP financial systems functionality to track and account for assets in 
various stages of completion and deployment is limited, causing the need for greater manual involvement 
to accurately report assets. This deficiency is also related to the conditions described in Comment II-A, 
Financial Management and Reporting, and Comment II-B, Information Technology Controls and 
Financial System Functionality. 

USCIS and ICE are obtaining "stand-alone" audits of their September 30, 2009 balance sheets. In previous 
years, these components prepared financial statements using a DHS consolidated level of materiality. In 
preparation for the stand-alone audits, both components performed reviews of their significant accounting 
principles and various financial reporting policies and procedures. Through these reviews, USCIS and ICE 
identified several discrepancies between existing policies and procedures and those required to comply with 
GAAP. Corrective actions were taken to properly state the account balances for financial statement 
reporting purposes, and updated policies and procedures were issued. 

Since NPPD's accounting service provider is ICE, the accounting policy review performed by ICE included 
policies that impact NPPD and other components serviced by ICE during FY 2009. The lack of policies, 
procedures, and adequate accounting processes over DHS equipment at contractor sites was identified by 
ICE during its review of policies related to PP&E accounting. 

Criteria: SFFAS No. 10 provides requirements for the capitalization and reporting of internal use software 
development costs. According to paragraph 16, the capitalizable cost should include "....the full cost 
(direct and indirect cost) incurred during the software development stage." Per SFFAS No. 10, paragraphs 
18-20, "For COTS [Commercial off-the-shelf] software, capitalized cost should include the amount paid to 
the vendor for the software. For contractor-developed software, capitalized cost should include the amount 
paid to a contractor to design, program, install, and implement the software. Material internal cost incurred 
by the federal entity to implement the COTS or contractor-developed software and otherwise make it ready 
for use should be capitalized [...] Costs incurred after final acceptance testing has been successfully 
completed should be expensed." 

SFFAS No. 6, Accounting for Property, Plant, and Equipment, paragraph 17, states, "Property, plant, and 
equipment consists of tangible assets, including land, that meet the following criteria: they have estimated 
useful lives of 2 years or more; they are not intended for sale in the ordinary course of operations; and they 
have been acquired or constructed with the intention of being used, or being available for use by the 
entity." Per paragraph 26, "All general PP&E shall be recorded at cost. Cost shall include all costs 
incurred to bring the PP&E to a form and location suitable for its intended use." Paragraph 34 requires, "In 
the case of constructed PP&E, the PP&E shall be recorded as construction work in progress until it is 
placed in service, at which time the balance shall be transferred to general PP&E." Per paragraph 35, 
"Depreciation expense is calculated through the systematic and rational allocation of the cost of general 
PP&E, less its estimated salvage/residual value, over the estimated useful life of the general PP&E. 
Depreciation expense shall be recognized on all general PP&E, except land and land rights of unlimited 
duration." 

GAO's Standards for Internal Control in the Federal Government (Standards) requires that internal control 
and all transactions and other significant events be clearly documented and readily available for 
examination. The Joint Financial Management Improvement Program (JFMIP), Property Management 
Systems Requirements, state that the agency's property management system must create a skeletal property 
record or have another mechanism for capturing information on property in transit from the providing 
entity (e.g., vendor, donator, lender, grantor, etc.). 

Recommendations: We recommend that: 

1. TSA: 

a. Develop and implement policies and procedures to properly account for, monitor, and report 

internal use software balances; other direct costs incurred to transport, store, and install screening 
equipment at airports; idle, impaired, and disposed assets; and assets and bulk purchases that are 
under the capitalization threshold, consistent with applicable accounting standards; 
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b. Improve training and communication to ensure that TSA's policies regarding updates to the capital 
asset subsidiary ledger after assets are transferred between locations are consistently followed; 

c. Develop policies and procedures to ensure assets are properly recorded, depreciated, disposed, and 
reconciled to the general ledger on a timely basis; and 

d. Develop policies and procedures to ensure heritage assets are properly identified, tracked, and 
reported. 

2. CBP: 

a. Develop, document, and communicate policies and procedures for classifying, recording, and 
reviewing all capital transactions, particularly for new construction, to ensure that the financial 
statements are materially correct and presented in accordance with GAAP. Consideration should 
be given to the adequacy of policies to account for CIP, including methodologies to apply 
overhead charges, and establishing an appropriate useful life for annual depreciation charges; 

b. Emphasize the need to record asset disposals in accordance with established policy; 

c. Consider adding supervision and monitoring controls to ensure that all intended corrective actions 
are effective and functioning properly; 

d. Establish and implement a standardized process that is integrated with its financial system of 
record in order to facilitate the timely recording of new assets placed into service; and 

e. Reinforce guidance for the performance and documentation of PP&E inventories. 

3. USCIS continue to adhere to its newly developed and implemented policies and procedures to properly 
account for and report leasehold improvements made to its facilities, and to properly account for and 
report internal use software balances in accordance with applicable accounting standards. 

4. NPPD continue to adhere to its newly developed and implemented policies and procedures and related 
internal controls to ensure that property purchased by its contractors and held at contractor sites are 
properly titled to DHS and are accurately and timely recorded in the general ledger. 

5. ICE continue to adhere to its newly developed and implemented policies and procedure to properly 
account for and report internal use software balances in accordance with applicable accounting 
standards. 

II-E Actuarial and Other Liabilities (FEMA and TSA) 



Background: FEMA is recognized as the primary grant-making 
component of DHS, managing multiple Federal disaster and non- 
disaster grant programs. 

TSA has numerous types of accounts payable and accrued liabilities 
that affect its balance sheet, including the Other Transactions 
Agreement (OTA) and Letters of Intent (LOI) programs. The OTA and 
LOI programs have grown substantially in recent years and function 
similar to grants, whereby TSA provides funding to airport recipients 
for various security improvements and construction. For this reason, 
TSA must estimate its accrued liability for expenditures incurred but 
not reported by OTA and LOI recipients when preparing financial 
statements. The OTA activity significantly increased in FY 2009, 
requiring TSA to develop new accounting processes to support this 
function. 

In FY 2009, the Immigration and Customs Enforcement (ICE), the 
Science and Technology Directorate (S&T), and the Federal Law Enforcement Training Center (FLETC) 
corrected the previously reported deficiencies in the environmental liabilities process. 
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Conditions: We noted the following internal control weaknesses related to other liabilities at FEMA and 
TSA: 

1. FEMA does not have sufficient policies and procedures in place to fully comply with the Single Audit 
Act Amendments of 1996 {Single Audit Act) and related OMB Circular No. A-133, Audits of States, 
Local Governments, and Nonprofit Organizations (OMB Circular A-133) (see Comment IV-K, Single 
Audit Act Amendments of 1996). 

2. TSA: 

• Has not developed policies and procedures to accurately estimate its OTA accrued liability at year- 
end. The OTA liability was substantially understated in the draft financial statements until 
questioned by the auditor, which prompted TSA to consider the need for an accrual related to the 
incurred but unreported expenditures. This resulted in identification of an additional liability of 
approximately $50 million that was recorded at year-end; 

• Does not have documented policies and procedures to ensure that accounts payable accruals are 
complete and accurate, controls over the procurement process are effective, and documentation 
supporting transactions are available for audit. For example, we noted that: 

Controls including supervisory reviews are not always effective in indentifying material errors 
in accounts payable and related accruals; 

The accounts payable sub-ledger is not routinely reconciled to the accounts payable general 
Leger (CAS). Specifically, it was noted that TSA was unable to provide a detail of open 
invoices as of the balance sheet date; 

Invoices are not always coded correctly as either expense or capitalizable expenditures; 

Evidence supporting the procurement and receipt of goods, and review and approval of 
transactions was not always available for audit; 

Controls to ensure the completeness of the data provided from contracting officers used to 
calculate the accounts payable accruals were not always operating effectively; 

Controls to ensure amounts recorded as part of system accounts payable are excluded from the 
accrual calculations were not always operating effectively; and 

Controls to ensure the accuracy of queries used to calculate the accounts payable accruals were 
not always operating effectively; 

• Does not perform an independent analysis of vendor confirmation data for which the LOI accrual 
is based to determine the accuracy of the confirmations. Further, TSA does not have documented 
policies and procedures in place to ensure that unconfirmed balances are properly stated. 

Cause/Effect: FEMA has not implemented policies and procedures over its grant program in order ensure 
compliance with the Single Audit Act and OMB Circular A-133. 

TSA's risk assessment process at the transaction level is not fully developed or implemented to identify 
points at which a significant error could occur. As a result, accounts payable and unexpended 
appropriations may not be properly stated in the financial statements. In addition, when the OTA activity 
became material in FY 2009, TSA did not have adequate risk assessment processes to identify OTAs as a 
significant new process, requiring management to perform additional procedures to estimate the accrued 
liability. This deficiency is also related to the conditions described in Comment II-A, Financial 
Management and Reporting. 

Criteria: OMB Circular No. A- 123 states, "Management is responsible for developing and maintaining 
effective internal control. Effective internal control provides assurance that significant weaknesses in the 
design or operation of internal control, that could adversely affect the agency's ability to meet its 
objectives, would be prevented or detected in a timely manner. Management should identify internal and 
external risks that may prevent the organization from meeting its objectives. When identifying risks, 
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management should take into account relevant interactions within the organization as well as with outside 
organizations." 

The Single Audit Act, Section 7502 (f)(1)(B) states, "Each Federal agency which provides Federal awards 
to a recipient shall review the audit of a recipient as necessary to determine whether prompt and appropriate 
corrective action has been taken with respect to audit findings, as defined by the Director, pertaining to 
Federal awards provided to the recipient by the Federal agency." 

OMB Circular No. A- 133, Subpart D, provides for the responsibilities of federal agencies and pass-through 
entities for audits of states, local governments, and non-profit organizations. 

Recommendations: We recommend that: 

1. FEMA implement policies and procedures to ensure full compliance with the Single Audit Act and the 
related OMB Circular No. A- 133. 

2. TSA: 

a. Develop policies and procedures to accurately estimate its OTA accrued liability at year-end; and 

b. Develop and document policies and procedures to ensure that accounts payable accruals are 
complete and accurate, controls over the procurement process are designed and operating 
effectively, and documentation supporting transactions is available for audit. 



II-F Budgetary Accounting (FEMA and CBP) 
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Background: Budgetary accounts are a category of general ledger 
accounts where transactions related to the receipt, obligation, and 
disbursement of appropriations and other authorities to obligate and 
spend agency resources are recorded. DHS has over 350 separate 
Treasury account fund symbols (TAFS) combined, each with separate 
budgetary accounts that must be maintained in accordance with OMB 
and Treasury guidance. The TAFS cover a broad spectrum of budget 
authority, including annual, multi-year, and no-year appropriations, and 
several revolving, special, and trust funds. Accounting for budgetary 
transactions in a timely and accurate manner is essential to managing 
the funds of the Department and preventing overspending of allotted budgets. 

In FY 2009, FEMA improved its processes and internal controls over the mission assignment obligation 
and monitoring process; however, some control deficiencies remain. 

CBP has implemented policies and procedures requiring the timely review and deobligation of funds when 
the contracts have expired or are complete. However, CBP has not been effective in adhering to its policy 
or in monitoring compliance. CBP has not made substantial progress in correcting the deficiencies we 
reported in FY 2008, and they are repeated below. 



Conditions: 
and CBP: 



We noted the following internal control weaknesses related to budgetary accounting at FEMA 



1. FEMA: 



Did not consistently and effectively monitor the status of its obligations as part of its normal 
operations to ensure timely deobligation when appropriate. We noted that approximately 10 
percent of all undelivered order (UDO) samples tested for mission assignments and Grants and 
Training obligations were past their projected end dates by more than 90 days; 

Could not readily provide all supporting documentation for UDOs, other than mission assignments 
and grants, that were tested at June 30, 2009 and September 30, 2009. We noted that for certain 
portions of the population, significant effort was required to coordinate and identify the responsible 
parties, to access certain files, or to provide information in a form that clearly supported the 
balances reported in the financial statements. 
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2. CBP is not enforcing its policies and procedures (Directive 1220-01 IB and 1220-01 1C) to monitor and 
deobligate or close-out its obligations in a timely manner. We noted that CBP did not properly 
deobligate inactive undelivered orders for approximately 50 of the 64 items we tested as of June 2009. 
However, many of these obligations were subsequently deobligated during the open obligation review 
conducted in the fourth quarter by CBP. 

Cause/Effect: FEMA did not always receive timely progress reports from Other Federal Agencies (OFAs) 
that included sufficient cost and billing data, or a timely response to validation requests of open mission 
assignments. FEMA's administrative functions are geographically separated from programmatic 
operations which make locating UDO documentation difficult. Without supporting documentation, FEMA 
is unable to support the validity of UDO balances. 

CBP did not properly monitor all open obligations, and consequently, government funds may be committed 
and not made available to CBP for other Federal expenditures for longer periods of time than necessary. In 
addition, CBP's financial statements will not properly reflect the status of obligation. 

Criteria: FEMA's SOP for Processing Mission Assignment and Interagency Payments for Fund Code 06, 
updated April 2007, establishes the process for mission assignment closeouts. If no activity has been 
recorded within the last 90 days, the Disaster Finance Branch initiates the closeout process with the region 
or headquarters. 

FEMA Form 90-129, Mission Assignment Agreement, states that the OFA is responsible for submitting a 
Mission Assignment Monthly Progress Report to FEMA to include cost data when mission assignments 
take more than 60 days to complete, including billing. 

According to GAO Standards, "transactions should be promptly recorded to maintain their relevance and 
value to management in controlling operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and authorization through its final classification in 
summary records." Further, "control activities help to ensure that all transactions are completely and 
accurately recorded." In addition, "internal control and all transactions and other significant events need to 
be clearly documented, and the documentation should be readily available for examination [. . .] All 
documentation and records should be properly managed and maintained." 

CBP Directive 1220-01 IB states that financial plan holders will review Systems, Applications, and 
Products (SAP) reports each quarter to reconcile their obligations to supporting records. 

CBP Directive 1220-01 1C states that a semi-annual review of specific populations of obligations must be 
performed and the status for each record identified to assure that only valid obligations remain open. 

Recommendations: We recommend that: 

1. FEMA: 

a. Consistently monitor the status of its obligations as part of the normal business process by: 

i) Ensuring that all mission assignments are reviewed and deobligated timely when authorized 
by the OFAs or when the OFAs have not responded in a reasonable period of time related to a 
mission assignment with no recent activity; and 

ii) Researching and resolving the status of aged obligations inherited from the former Office of 
Grants and Training; 

b. Continue to improve procedures for storing and locating documentation supporting UDO 
information, including points of contact, so that supporting information is readily available for 
management review and audit purposes. 

2. CBP: 

a. Implement improved procedures to ensure full compliance with CBP Directives 1220-01 IB and 
1220-01 1C to ensure that obligations are being reconciled to supporting documentation on a 
quarterly basis and reviewed for validity on a semi-annual basis. 
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III-G Other Entity-Level Controls (USCG, FEMA, and TSA) 

Background: In the past two years, the Department of Homeland Security (DHS or the Department) has 
undertaken and completed several steps designed to strengthen its entity and process level internal controls, 
and thereby improve the reliability of financial reporting. These steps are documented in the Internal 
Control over Financial Reporting Playbook released in March 2009, and in component level Mission 
Action Plans (MAPs) finalized early in fiscal year (FY) 2009. The Department continued its Office of 
Management and Budget (OMB) Circular No. A- 123, Management 's Responsibility for Internal Control, 
assessment in FY 2009. 

The comments below should be read in conjunction with Comments I-B and II-B, Information Technology 
Controls and Financial System Functionality, which describe entity-level control weaknesses related to 
Department and Component IT systems. Entity-level control deficiencies related to the United States Coast 
Guard (Coast Guard), the Federal Emergency Management Agency (FEMA), U.S. Customs and Border 
Protection (CBP), and the Transportation Security Administration (TSA) are presented in Comments I-A 
and II-A, Financial Management and Reporting, respectively, related to financial management. 

The Coast Guard updated its MAPs and Financial Strategy for Transformation and Audit Readiness 
(FSTAR) in FY 2009. The FSTAR is a comprehensive plan to identify and correct the root causes of 
control deficiencies. 

FEMA achieved its MAPs to eliminate the account balance qualifications identified in the Independent 
Auditors' Report (IAR) in FY 2008. FEMA also made continued progress toward correction of its entity- 
level control deficiencies in FY 2009. While progress has been made, some entity-level control 
deficiencies identified at FEMA in previous years continued during FY 2009, and are repeated below. 

Conditions: We noted the following internal control weaknesses related to other entity-level controls: 

1 . Coast Guard: 

• Has not developed adequate policies, procedures, or controls associated with training and continual 
education courses associated with personnel with financial duties; 

• Does not have standardized job descriptions at a level of detail that includes identification and 
definition of tasks required to accomplish particular assignments that have financial duties filled by 
military personnel; 

• Does not have policies that are operating effectively for hiring and evaluating financial employees, 
as management does not maintain adequate documentation for certain hiring requirements and 
periodic performance evaluations; 

• Has not developed adequate controls with the Standards of Ethical Conduct to a) ensure that recent 
changes in the Coast Guard environment are included, and b) track and monitor compliance, 
including document retention for the investigation of any violation and corrective actions taken to 
ensure proper filing and review of the Confidential Disclosure Reports and ethics training 
requirements; and 

• Has not fully implemented a Coast Guard-wide formal policy to appropriately address intervention 
of management override of internal controls. 

2. FEMA: 

• Has not developed sufficiently effective methods of communication to ensure that significant 
financial-related system development and acquisition projects involve all relevant stakeholders, 
including the Office of the Chief Financial Officer (OCFO), to ensure the projects meet 
organizational mission needs and functional and technical requirements; 

• Has not developed sufficiently effective methods of communication to ensure that significant 
accounting changes made by its flood insurance contractor are reviewed and approved by the 
OCFO prior to implementation; 
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• Has not completed the placement of sufficient financial and accounting resources related to 
mission assignments, which contributes to certain issues in the accounting for these agreements. 
In a sample of 505 mission assignment payments selected for testwork as of June 30, 2009, we 
noted that approximately 35 percent of the payments were not properly reviewed and approved in 
accordance with FEMA policy; 

• Has not completed its documentation and/or update of formal policies and procedures (including 
desk manuals) for several of the roles, responsibilities, processes, and functions performed within 
FEMA. For example, in FY 2009, we noted that improvements are needed in the formal 
documentation of policies and procedures related to Anti-deficiency Act compliance and policies 
for monitoring and responding to OMB Circular No. A- 133, Audits of States, Local Governments, 
and Non-Profit Organizations, reports, Office of Inspector General (OIG) reports, and 
Government Accountability Office (GAO) report findings and recommendations; 

• Has identified the Risk Management and Compliance Branch's primary function as the 
implementation of policies and procedures to close findings issued as a result of multiple external 
audits. Its mission does not fully support internal control monitoring to assess the overall quality 
and performance of operations on a continual basis; 

• Has not committed sufficient resources to ensure that personnel attend required ethics training; and 

• Has not developed sufficient policies and procedures to properly designate position sensitivity for 
positions that use, develop, or operate IT systems; track the status of background investigations; 
and maintain related documentation. 

3. TSA has not implemented an agency-wide formal policy to appropriately address intervention of 
management override of internal controls. 

Cause/Effect: Coast Guard management has acknowledged that longstanding procedural, control 
personnel, IT and cultural issues have impeded progress toward installing an effective financial 
management structure. Coast Guard has developed and is in the process of a multi-year MAP that addresses 
entity-level controls. 

In FY 2009, FEMA devoted substantial resources to developing its accounts payable accrual methodology, 
evaluating its capitalized internal use software, and developing certain policies and procedures. 
Consequently, FEMA devoted comparatively less attention to improving the underlying accounting 
processes and correcting other control deficiencies in FY 2009. Decentralized and informal background 
investigation processes present potential risks to FEMA's operations and IT systems. 

TSA's Internal Control Group is still in the process of documenting and testing baseline controls. In the 
past, TSA assumed that compliance with policies and procedures and performance of control procedures 
was implicit in every person's job description. Therefore, the need for a policy to appropriately address 
intervention of management override of controls without appropriate approvals was not identified until 
TSA fully implemented the provisions of OMB Circular No. A- 123 in connection with the external 
financial statement audit. 

In its FY 2009 representations made to the Secretary pursuant to the DHS Financial Accountability Act, 
Coast Guard and FEMA stated that they cannot provide reasonable assurance that internal control over 
financial reporting are operating effectively. 

Criteria: OMB Circular No. A-123, as revised, states that internal controls are the organization, policies, 
and procedures that agencies use to help program and financial managers achieve results and safeguard the 
integrity of their programs. 

The Federal Managers ' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal 
controls according to standards prescribed by the Comptroller General. These standards are established in 
the GAO's Standards for Internal Control in the Federal Government (Standards). The GAO defines 
internal control as an integral component of an organization's management that provides reasonable 
assurance that the following objectives are achieved: effectiveness and efficiency of operations, reliability 
of financial reporting, and compliance with applicable laws and regulations. 
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The GAO Standards identify the control environment as one of the five key elements of control, which 
emphasizes the importance of conscientiousness in management's operating philosophy and commitment to 
internal control. These standards cover controls such as human capital practices, supervisory reviews, 
policies, procedures, monitoring, and segregation of duties. 

DHS 4300A Sensitive Systems Policy Directive, Version 6.1.1, and DHS 4300A Sensitive Systems 
Handbook, Version 6.1.1, set forth requirements related to background investigations for federal employees 
and contractors requiring access to DHS systems. 

Recommendations: We recommend that: 

1. Coast Guard: 

a. Review and enhance, if necessary, the entity level planned actions on its FSTAR to include steps 
to fully assess entity level controls, develop effective corrective actions, and implement improved 
financial processes and systems. 

2. FEMA: 

a. Develop and implement agency-wide communication protocols to ensure that significant financial- 
related system development and acquisition projects involve all relevant stakeholders, including 
theOCFO; 

b. Develop and implement communication protocols with its flood insurance contractor to ensure 
that all significant accounting changes are reviewed and approved by the OCFO prior to 
implementation; 

c. Ensure sufficient financial and accounting resources are in place to address weaknesses related to 
mission assignment accounting; 

d. Ensure that formal policies and procedures (including desk manuals) are documented and current 
for all significant roles, responsibilities, processes, and functions performed within FEMA; 

e. Expand the mission and staffing of the Risk Management and Compliance Branch to perform 
internal control monitoring to assess the overall quality and performance of operations on a 
continual basis; 

f. Complete development and implementation of procedures and dedicate resources to provide, track 
compliance with, and monitor the annual and new hire ethics training requirements; and 

g. Develop and implement policies and procedures to properly designate position sensitivity for all 
positions that use, develop, or operate IT systems; track the status and completion of background 
investigations; and maintain related documentation. 

3. TSA: 

a. Develop explicit policies that appropriately address intervention of management override of 
controls. 

III-H Custodial Revenue and Drawback 

Background: CBP collects approximately $26.4 billion in annual import duties, taxes, and fees on 
merchandise arriving in the United States from foreign countries (identified below as the Entry Process). 
Receipts of import duties and related refunds are presented in the statement of custodial activity in the DHS 
financial statements. 

Drawback is a remittance, in whole or in part, of duties, taxes, or fees previously paid by an importer. 
Drawback typically occurs when the imported goods on which duties, taxes, or fees have been previously 
paid, and are subsequently exported from the United States or destroyed prior to entering the commerce of 
the United States. 

Our findings on the Entry Process include In-bond, Bonded Warehouse, Foreign Trade Zones, and the 
Compliance Measurement Program (CM). In-bond entries occur when merchandise is transported through 
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one port; however, the merchandise generally does not officially enter U.S. commerce until it reaches the 
intended port of destination. Bonded Warehouses (BWH) are facilities, under the joint supervision of CBP 
and the Bonded Warehouse Proprietor, used to store merchandise that has not made entry into the United 
States commerce. Foreign Trade Zones (FTZ) are secured areas under CBP supervision that are used to 
manufacture goods that are considered outside of the United States commerce for duty collection. 

CM is the primary method by which CBP measures risk in the areas of cargo security, trade compliance, 
and revenue collection. CBP utilizes the CM program to measure the effectiveness of its control 
mechanisms deployed, and its execution in collecting revenues rightfully due to the U.S. Department of the 
Treasury. 

Conditions: We noted the following internal control weaknesses related to custodial activities at CBP: 

Related to drawback: 

• The Automated Commercial System (ACS) lacks automated controls to detect and prevent 
excessive drawback claims and overpayments, necessitating inefficient manual processes that do 
not effectively compensate for these automated controls; 

• ACS lacks controls to prevent the overpayment of drawback claims at the summary line level; 

• Drawback review policies do not require drawback specialists to review all, or a statistically valid 
sample, of prior drawback claims against the underlying consumption entries (UCE) to determine 
whether, in the aggregate, an excessive amount was claimed; 

• Drawback review policy and procedures allow drawback specialists, with supervisory approval, to 
judgmentally decrease the number of ACS selected UCEs randomly selected for review, thus 
decreasing the review's effectiveness. Further, CBP implemented a sampling methodology for 
selecting UCEs; however, this methodology is not considered to be statistically valid; 

• The period for document retention related to a drawback claim is only three years from the date of 
payment. However, there are several situations that could extend the life of the drawback claim 
well beyond three years. 

Related to the Entry Process: 

• CBP is unable to determine the status of the in-bond shipments and lacks policies and procedures 
throughout the year that require monitoring the results of in-bond audits and require the review of 
overdue immediate transportation in-bonds or air in-bonds. The requirement for ports to review 
overdue immediate transportation in-bonds was not implemented until February 2009; 

• CBP does not perform an analysis to ensure there is not a potentially significant loss of revenue 
through the in-bond process, as a result of goods entering the commerce of the U.S. without formal 
entry; 

• CM oversight guidelines do not provide complete coverage over the CM program. The ports are 
not following a consistent set of procedures when performing CM reviews, and there are 
weaknesses in the oversight and monitoring of the CM program; and 

• Current BWH and FTZ Compliance Review Manuals lack specific guidance for ports to determine 
the appropriate risk assessment of a BWH or FTZ. In addition, headquarters review of the BWHs 
and FTZs assessment results does not provide CBP with objective data related to the effectiveness 
of compliance reviews, common discrepancies found and the risks associated with those 
discrepancies, and techniques for mitigating risks. 

Cause/Effect: IT system functionality and outdated IT systems contribute to the weaknesses identified 
above. For example, CBP is unable to determine the status of the in-bond shipments with the information 
available within ACS, and CBP does not have the ability to run an oversight report to determine if ports 
have completed all required audits. For drawback, much of the process is manual until planned IT system 
functionality improvements are made, placing an added burden on limited resources. 
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The inability to effectively monitor the in-bond process and verify the arrival of in-bond merchandise at the 
port level can lead to a potential loss in revenue. This potential loss in revenue is due to uncollected duties 
and fees on in-bond merchandise that has physically entered U.S. commerce without formal entry. 

The weaknesses in the CM program could result in CBP incorrectly evaluating the effectiveness of its 
control environment over the collections of duties, taxes, and fees. 

It is possible that BWH/FTZ operators and users may be able to operate BWHs and FTZs that contain 
merchandise that CBP has no or limited knowledge about. 

Criteria: Under FMFIA, management must implement cost-effective controls to safeguard assets and 
ensure reliable financial reporting. OMB's Revised Implementation Guidance for FFMIA, states that 
financial systems should "routinely provide reliable financial information consistently, accurately, and 
reported uniformly" to support management of current operations. 

The Financial Systems Integration Office (FSIO) publications and OMB Circular No. A-127, Financial 
Management Systems, outline the requirements for Federal financial systems. The Office of Federal 
Financial Management's Core Financial System Requirements, dated January 2006, states that the core 
financial system must maintain detailed information sufficient to provide audit trails and to support 
reconciliation and research activities. OMB Circular No. A-127 requires that the design of financial 
systems should eliminate unnecessary duplication of a transaction entry. Wherever appropriate, data needed 
by the systems to support financial functions should be entered only once, and other parts of the system 
should be updated through electronic means consistent with the timing requirements of normal 
business/transaction cycles. 

The Improper Payments Information Act of 2002 requires agencies to annually review programs and 
activities and identify any that may be susceptible to significant improper payment. Whenever an agency 
estimates that improper payments may exceed $10 million, it must also provide a report on what actions are 
being taken to reduce such payments. In addition to the statutory requirements stated above, CBP's 
Drawback Handbook, dated July 2004, states that management reviews are necessary to maintain a uniform 
national policy of supervisory review. 

Recommendations: We recommend that CBP: 

1 . Related to drawback: 

a. Implement effective internal controls over drawback claims as part of any new system initiatives, 
including the ability to compare, verify, and track essential information on drawback claims to the 
related underlying consumption entries and export documentation for which the drawback claim is 
based, and identify duplicate or excessive drawback claims; 

b. Develop and implement automated controls to prevent overpayment of a drawback claim; 

c. Develop a system or process to eliminate the need for statistical sampling of UCE and prior related 
drawback claims as drawback claims. In addition, until this system or process is implemented, we 
recommend that CBP explore other statistical approaches for selecting UCEs and prior related 
drawback claims under the current ACS environment; 

2. Related to the Entry Process: 

a. Implement a standard procedure to periodically compile the results of all in-bond audits during the 
year and develop an analysis function in order to evaluate the importers' compliance with 
regulations; 

b. Develop or emphasize policies and procedures to monitor the results of in-bond audits at the port 
level and to require reviews of overdue immediate transportation in-bonds and air in-bonds; 

c. Analyze the in-bond program annually to determine the potential loss of revenue relating to in- 
bonds; 
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d. Provide additional detail in the CM guidelines, specifying the use of the monitoring report, data 
queries, and any other tools to provide complete coverage over the CM program. The guidance 
should also readdress the timing requirements for the monitoring reports or data queries; 

e. Develop standard operating procedures for conducting risk assessments for all BWHs and FTZs. 
In addition, develop standardized procedures for headquarters or field office oversight to ensure 
compliance review schedules are being reviewed timely, and provide effective training to ensure 
that all ports are aware of updates and changes to the program and can consistently execute all 
requirements presented in the compliance review manuals and handbooks; and 

f. Continue the implementation of a national database of BWHs and FTZs and develop procedures to 
ensure completeness. 
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(Exhibits I and II include Comments A- F, and Exhibit III presents Comments G - H) 

All of the compliance and other matters described below are repeat conditions from FY 2008. 

IV-I Federal Managers' Financial Integrity Act of 1982 (FMFIA) and Laws and Regulations Supporting 
OMB Circular No. A-50, Audit Follow-Up, as revised 

Office of Management and Budget (OMB) Circular No. A-123, Management 's Responsibility for Internal 
Control, requires agencies and Federal managers to: (1) develop and implement internal controls; (2) assess the 
adequacy of internal controls; (3) separately assess and document internal control over financial reporting; (4) 
identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal 
controls. During fiscal year (FY) 2009 and 2008, the Department of Homeland Security (DHS or the 
Department) developed an annual Internal Control Playbook to implement corrective actions and support 
management assurances by performing tests of design and operating effectiveness of entity level controls and 
other financial accounting and reporting processes. DHS' implementation of OMB Circular No. A-123 
facilitates compliance with the Federal Managers ' Financial Integrity Act of 1982 (FMFIA). The DHS 
Financial Accountability Act of 2004 requires DHS to submit an annual audit opinion of internal control over 
financial reporting. The Secretary of DHS has stated in the Secretary's Assurance Statements dated November 
13, 2009, as presented in Management's Discussion and Analysis (MD&A) of the Department's 2009 Annual 
Financial Report (AFR), that based on the material weaknesses identified from the OMB Circular A-123 
assessment, the Department provides no assurance that internal control over financial reporting was operating 
effectively as of September 30, 2009. 

In addition, OMB Circular No. A-50, as revised, provides guidance for use by executive agencies when 
considering reports issued by Inspectors General, other executive branch audit organizations, the Government 
Accountability Office (GAO), and non-Federal auditors, where follow up is necessary. Corrective action taken 
by management on findings and recommendations is essential to improve the effectiveness and efficiency of 
government operations, and to support the objectives of sound fiscal management. As described above, the DHS 
OCFO has developed an extensive corrective action plan that requires each component to develop and execute 
corrective actions to address all material weaknesses in internal controls. This strategy is documented in the 
Internal Control Playbook. Progress is monitored by the Under Secretary for Management (USM) and the 
CFO, and regularly reported to OMB and other outside stakeholders, such as Congressional Committees. We 
noted that each component has complied with the DHS directive to develop corrective actions, and they have 
been reviewed and approved by the USM and CFO. All DHS components have made progress toward 
remediation of material internal control weaknesses; however, as shown in Exhibits I, II and III, deficiencies 
identified in prior years have not been fully corrected in FY 2009. 

While we noted the Department overall has taken positive steps toward full compliance with FMFIA, OMB 
Circular No. A-123, OMB Circular No. A-50, and the DHS Financial Accountability Act, the Department has 
not fully established effective systems, processes, policies, and procedures to ensure that internal controls are 
operating effectively throughout the Department. 

Recommendation: We recommend that the Department continue its corrective actions to address internal 
control deficiencies, in order to ensure full compliance with FMFIA and its OMB-approved plan for 
implementation of Circular No. A-123, in future years. We also recommend that DHS continue to follow and 
complete the actions defined in the Internal Control Playbook, to ensure that audit recommendations are 
resolved timely and corrective action plans addressing all DHS audit findings are developed and implemented 
together with appropriate supervisory review in FY 2010. 

IV-J Federal Financial Management Improvement Act of 1996 (FFMIA) 

FFMIA Section 803(a) requires that agency Federal financial management systems comply with (1) applicable 
Federal accounting standards; (2) Federal financial management system requirements; and (3) the United States 
Government Standard General Ledger (USSGL) at the transaction level. FFMIA emphasizes the need for 
agencies to have systems that can generate timely, reliable, and useful information with which to make 
informed decisions to ensure ongoing accountability. OMB Circular No. A-123 requires agencies and Federal 
managers to: (1) develop and implement internal controls; (2) assess the adequacy of internal controls; (3) 
separately assess and document internal control over financial reporting; (4) identify needed improvements; (5) 
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take corresponding corrective action; and (6) report annually on internal controls. During FY 2009, DHS 
OCFO continued with its implementation of OMB Circular No. A-123 by performing tests of design and 
operating effectiveness on entity level controls and other financial accounting and reporting processes as 
planned. 

While we noted the Department overall has taken positive steps toward full compliance with FFMIA, the Coast 
Guard, US Customs and Border Protection (CBP), the Federal Emergency Management Agency (FEMA), the 
Federal Law Enforcement Training Center (FLETC), and TSA did not fully comply with at least one of the 
requirements of FFMIA. The reasons for noncompliance are reported in Exhibits I, II, and III. The Secretary of 
DHS has stated in the Secretary's Assurance Statements dated November 13, 2009 that the Department's 
financial management systems do not substantially conform to government wide requirements mandated by 
FFMIA. The Department's remedial actions and related timeframes are also presented in that section of the 
AFR. 

An element within FFMIA Federal system requirements is ensuring security over financial management 
information. This element is addressed further in the Federal Information Security Management Act of 
2002 (FISMA), which was enacted as part of the E-Government Act of 2002. FISMA requires the head of 
each agency to be responsible for (1) providing information security protections commensurate with the 
risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, 
modification, or destruction of (i) information collected or maintained and (ii) information systems used or 
operated; (2) complying with the requirements of the Act and related policies, procedures, standards, and 
guidelines, including (i) information security standards under the United States Code, Title 40, Section 
11331 and (ii) information security standards and guidelines for national security systems; and (3) ensuring 
that information security management processes are integrated with agency strategic and operational 
planning processes. 

We noted weaknesses in financial systems security, reported by us in Comments I-B and II-B, Information 
Technology Controls and Financial System Functionality, which impact the Department's ability to fully 
comply with FISMA. 

Recommendation: We recommend that DHS improve its financial management systems to ensure 
compliance with the FFMIA, and implement the recommendations provided in Exhibits I, II, and III, in FY 
2010. 

IV-K Single Audit Act Amendments of 1996 (Single Audit) 

FEMA is the only DHS component that has a significant grant making operation. OMB Circular No. A-133, 
Audits of States, Local Governments, and Non-Profit Organizations, requires agencies awarding grants to 
ensure they receive grantee reports timely and to follow-up on Single Audit findings to ensure that grantees take 
appropriate and timely action. Although FEMA has adopted procedures to monitor grantees and their audit 
findings, FEMA did not fully comply with provisions in OMB Circular No. A-133 in FY 2009. We noted that 
FEMA does not always obtain and review grantee Single Audit reports in a timely manner, or follow up on 
questioned costs and other matters identified in these reports. Because Single Audits typically are performed by 
other entities outside of DHS, procedures related to these reports are not always entirely within the control of 
DHS and its components. 

Recommendations: We recommend that: 

1 . FEMA develop procedures to ensure compliance with its policy to obtain and review grantee Single Audit 
reports in a timely manner, and follow-up on questioned costs and other matters identified in these reports. 
We also recommend that FEMA perform the following in FY 2010: 

a. Further develop and implement a tracking system to identify each grantee for which a Single Audit is 
required, and the date the audit report is due; 

b. Use the tracking system to ensure audit reports are received timely, and follow-up when reports are 
overdue; and 

c. Perform reviews of grantee audit reports, issue-related management decisions, and ensure that the 
grantees take appropriate corrective action, on a timely basis. 
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IV-L Chief Financial Officers Act of 1990 

The DHS Financial Accountability Act of 2004 made DHS subject to the Chief Financial Officers Act of 1990, 
as amended, which requires DHS to submit to the Congress and OMB audited financial statements annually. 
DHS' Office of the Inspector General (OIG) has engaged an independent auditor to audit the September 30, 
2009 balance sheet and related statement of custodial activity. Other financial statements, including the 
statements of net cost, changes in net position, and budgetary resources, are not currently auditable. DHS must 
be able to represent that its balance sheet is fairly stated, and obtain at least a qualified opinion before it is 
practical to extend the audit to other financial statements. 

Recommendation: We recommend that DHS and its components continue to implement the Mission Action 
Plans described in DHS' Internal Control Playbook (see Comment IV - I, Federal Managers ' Financial 
Integrity Act of 1982, above) to remediate the FY 2009 material weaknesses and significant deficiencies, and 
improve its policies, procedures, and processes, as necessary, to allow management to assert that all financial 
statements are fairly stated in compliance with accounting principles generally accepted in the United States, 
and are ready for an independent audit. 

IV-M Anti-deficiency Act (ADA) 

Various management reviews and OIG investigations are on-going within the Department and its 
components that may identify ADA violations. FEMA has initiated a preliminary review of certain 
expenditures occurring in FY 2008, that may have violated the Anti-deficiency Act. The Coast Guard 
management continues to work to resolve two potential ADA violations, one that was determined in FY 
2008 related to use of Operation funds to purchase shore assets, and a second identified in FY 2009 related 
to exceeding its obligation authority in the Acquisition, Construction and Improvement Appropriation. 
National Protection and Programs Directorate (NPPD) management is continuing their review, initiated in 
FY 2007, over the classification and use of certain funds that may identify an ADA violation. In addition, 
NPPD management has continued a review initiated in FY 2008 of certain fees collected for attendance at a 
DHS-sponsored annual conference that may identify a violation of the ADA. The Congress has asked the 
Comptroller General to review certain United States Secret Service salaries and expenses that may identify 
a violation of the ADA. 

Recommendations: We recommend that the Department, along with the OIG and the other components, 
complete the internal reviews currently planned or being performed, and properly report the results in 
compliance with the ADA, if necessary. 
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Appendix A 

Management's Response 



Office of the Chief Financial Officer 
U.S. Department of Homeland Security 

Washington, DC 20528 




November 12, 2009 



MEMORANDUM FOR: 



Richard L. Skinner 
Inspector General 



FROM: 



Peggy Sherry ^-2k^ 
Acting Chief Financial' Officer 




SUBJECT: 



Fiscal Year (FY) 2009 Financial and Internal Controls Audit 



Thank you for the opportunity to comment on the Independent Public Accountant's audit of our 
balance sheets, the related statement of custodial activities and internal controls as of September 
30, 2009 and 2008. We agree with the Independent Public Accountant's conclusions. 

Although the report indicates that DHS still faces serious financial management challenges, the 
auditor noted the Department's progress in implementing corrective actions and improving the 
quality and reliability of our financial reporting. Specifically, over the past year, we reduced 
material weaknesses at FEMA from four to two, and we can now assert to more than 
50 percent of the Department's total liabilities. We also achieved full compliance with the 
Improper Payments Information Act, the Debt Collection Improvement Act, and the Government 
Performance and Results Act. We completed the Department's multi-year plan to implement 
OMB Circular No. A- 123, Management's Responsibility for Internal Control, and we reduced 
the number of Component conditions that contributed to our material weaknesses in internal 
controls over financial reporting by more than half since FY 2006. As we increase the number of 
standalone audits and scrutiny on our account balances, DHS will discover additional 
opportunities for financial management improvement and will continue to strengthen internal 
controls and accountability. 

The FY 2009 audit results show that our corrective actions are working, and we are already 
focusing our efforts on the remaining issues before us. Financial management has come a long 
way at DHS. I continue to be inspired by the extraordinary efforts of our dedicated staff at 
Headquarters and in the Components to becoming "One DHS," and I am committed to pursuing 
financial management success. 

I want to thank you for your efforts and the continued dedication by your staff to work 
collaboratively in addressing our challenges. As we continue our steadfast progress, I look 
forward to working with the OIG and the Independent Public Accountant. 
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Report Distribution 



Department of Homeland Security 

Secretary 

Deputy Secretary 

Chiefs of Staff for Operations 

Deputy Chief of Staff for Policy 

Deputy Chiefs of Staff 

General Counsel 

Executive Secretariat 

Director, GAO/OIG Liaison Office 

Assistant Secretary for Office of Policy 

Assistant Secretary for Office of Public Affairs 

Assistant Secretary for Office of Legislative Affairs 

Under Secretary for Management 
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Chief Information Officer 

Chief Security Officer 

Chief Privacy Officer 

Office of Management and Budget 

Chief, Homeland Security Branch 
DHS OIG Budget Examiner 

Congress 



Congressional Oversight and Appropriations Committees, as appropriate 




ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



